Created
April 21, 2020 08:50
-
-
Save adriansr/37911fc3cb5d57ee4c205a424ba192a0 to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
// or more contributor license agreements. Licensed under the Elastic License; | |
// you may not use this file except in compliance with the Elastic License. | |
var processor = require("processor"); | |
var console = require("console"); | |
var device; | |
// Register params from configuration. | |
function register(params) { | |
device = new DeviceProcessor(); | |
} | |
function process(evt) { | |
return device.process(evt); | |
} | |
function DeviceProcessor() { | |
var builder = new processor.Chain(); | |
builder.Add(save_flags); | |
builder.Add(chain1); | |
builder.Add(restore_flags); | |
var chain = builder.Build(); | |
return { | |
process: chain.Run, | |
} | |
} | |
var map_srcDirName = { | |
keyvaluepairs: { | |
"0": dup2456, | |
"1": dup2455, | |
}, | |
}; | |
var map_dstDirName = { | |
keyvaluepairs: { | |
"0": dup2455, | |
"1": dup2456, | |
}, | |
}; | |
var map_dir2SumType = { | |
keyvaluepairs: { | |
"0": constant("2"), | |
"1": constant("3"), | |
}, | |
"default": constant("0"), | |
}; | |
var map_dir2Address = { | |
keyvaluepairs: { | |
"0": field("saddr"), | |
"1": field("daddr"), | |
}, | |
"default": field("saddr"), | |
}; | |
var map_dir2Port = { | |
keyvaluepairs: { | |
"0": field("sport"), | |
"1": field("dport"), | |
}, | |
"default": field("sport"), | |
}; | |
var dup0 = set_field({ | |
dest: "nwparser.messageid", | |
value: constant("CISCOASA_GENERIC"), | |
}); | |
var dup1 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801010100"), | |
}); | |
var dup2 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402102"), | |
}); | |
var dup3 = match({ | |
dissect: { | |
tokenizer: "Group policy deleted: name:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup4 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup5 = match({ | |
dissect: { | |
tokenizer: " Type:%{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup6 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1502040000"), | |
}); | |
var dup7 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502112"), | |
}); | |
var dup8 = match({ | |
dissect: { | |
tokenizer: "PPTP Tunnel created, tunnel_id is %{fld1}, remote_peer_ip is %{saddr}, ppp_virtual_interface_id is %{fld2}, client_dynamic_ip is %{daddr}, username is %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup9 = match({ | |
dissect: { | |
tokenizer: ", MPPE_key_strength is %{fld3}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup10 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020100"), | |
}); | |
var dup11 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603104"), | |
}); | |
var dup12 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup13 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Tunnel Rejected: %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup14 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605000000"), | |
}); | |
var dup15 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713060"), | |
}); | |
var dup16 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801000000"), | |
}); | |
var dup17 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713121"), | |
}); | |
var dup18 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701020000"), | |
}); | |
var dup19 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715058"), | |
}); | |
var dup20 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1606000000"), | |
}); | |
var dup21 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199009:01"), | |
}); | |
var dup22 = match({ | |
dissect: { | |
tokenizer: "Reloaded at %{event_time_string} by %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup23 = match({ | |
dissect: { | |
tokenizer: " from %{process}. Reload reason: %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup24 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " [%{result}] %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup25 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1606000000"), | |
}); | |
var dup26 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199009"), | |
}); | |
var dup27 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001030305"), | |
}); | |
var dup28 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415006"), | |
}); | |
var dup29 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1605000000"), | |
}); | |
var dup30 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714001"), | |
}); | |
var dup31 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup32 = match({ | |
dissect: { | |
tokenizer: ", %{action}: msg id = %{fld1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup33 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801000000"), | |
}); | |
var dup34 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714005"), | |
}); | |
var dup35 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715068"), | |
}); | |
var dup36 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("113039"), | |
}); | |
var dup37 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713273"), | |
}); | |
var dup38 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713273:01"), | |
}); | |
var dup39 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713273:02"), | |
}); | |
var dup40 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714004"), | |
}); | |
var dup41 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1605020000"), | |
}); | |
var dup42 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714004:01"), | |
}); | |
var dup43 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1805010000"), | |
}); | |
var dup44 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("110001"), | |
}); | |
var dup45 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603000000"), | |
}); | |
var dup46 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("751025"), | |
}); | |
var dup47 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603110000"), | |
}); | |
var dup48 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105038"), | |
}); | |
var dup49 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1805020000"), | |
}); | |
var dup50 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318008"), | |
}); | |
var dup51 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("711001"), | |
}); | |
var dup52 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713240"), | |
}); | |
var dup53 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup54 = match({ | |
dissect: { | |
tokenizer: ", %{action} history (%{fld1})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup55 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010100"), | |
}); | |
var dup56 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715065"), | |
}); | |
var dup57 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718021"), | |
}); | |
var dup58 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701000000"), | |
}); | |
var dup59 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721003"), | |
}); | |
var dup60 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103003"), | |
}); | |
var dup61 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1803000000"), | |
}); | |
var dup62 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("429002"), | |
}); | |
var dup63 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c %{group} \u003e User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup64 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{username}\u003e %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup65 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup66 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} (%{fld1}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup67 = match({ | |
dissect: { | |
tokenizer: " \u003e SVC closing connection: %{info}.", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup68 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030100"), | |
}); | |
var dup69 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722037"), | |
}); | |
var dup70 = match({ | |
dissect: { | |
tokenizer: "AAA user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup71 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " authentication %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " authorization %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup72 = match({ | |
dissect: { | |
tokenizer: " Rejected : reason = %{result} : server = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup73 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} : %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip}, %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup74 = match({ | |
dissect: { | |
tokenizer: " %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup75 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " User %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " user %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup76 = match({ | |
dissect: { | |
tokenizer: " = %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup77 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
]); | |
var dup78 = match({ | |
dissect: { | |
tokenizer: " : %{p8}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var dup79 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "user IP%{p9}", | |
field: "nwparser.p8", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "User IP%{p9}", | |
field: "nwparser.p8", | |
}, | |
}), | |
]); | |
var dup80 = match({ | |
dissect: { | |
tokenizer: " = %{saddr}", | |
field: "nwparser.p9", | |
}, | |
}); | |
var dup81 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301000000"), | |
}); | |
var dup82 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113005:01"), | |
}); | |
var dup83 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113005"), | |
}); | |
var dup84 = match({ | |
dissect: { | |
tokenizer: "AAA transaction status %{disposition} : user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup85 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401060000"), | |
}); | |
var dup86 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113008"), | |
}); | |
var dup87 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " FWSM console %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " PIX console %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Console %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup88 = match({ | |
dissect: { | |
tokenizer: " enable password incorrect for %{fld1} tries (from %{hostip})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup89 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050200"), | |
}); | |
var dup90 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("308001"), | |
}); | |
var dup91 = match({ | |
dissect: { | |
tokenizer: "Fail to establish SSH session because%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup92 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " PIX RSA host key retrieval failed.%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{space}RSA host key retrieval failed.%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup93 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603000000"), | |
}); | |
var dup94 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315004"), | |
}); | |
var dup95 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338308"), | |
}); | |
var dup96 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713905:04"), | |
}); | |
var dup97 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{event_description}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup98 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905"), | |
}); | |
var dup99 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup100 = match({ | |
dissect: { | |
tokenizer: ", %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup101 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} from %{fld1} port %{sport} to %{daddr} port %{dport} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup102 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:01"), | |
}); | |
var dup103 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713905:02"), | |
}); | |
var dup104 = match({ | |
dissect: { | |
tokenizer: "Username = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup105 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:03"), | |
}); | |
var dup106 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1613030100"), | |
}); | |
var dup107 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717004"), | |
}); | |
var dup108 = match({ | |
dissect: { | |
tokenizer: "Auth start for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup109 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup110 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1304000000"), | |
}); | |
var dup111 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109001"), | |
}); | |
var dup112 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199003"), | |
}); | |
var dup113 = match({ | |
dissect: { | |
tokenizer: "New user added to local dbase: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup114 = match({ | |
dissect: { | |
tokenizer: " Priv: %{fld1} Encpass: %{fld2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup115 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020200"), | |
}); | |
var dup116 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502101"), | |
}); | |
var dup117 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717047"), | |
}); | |
var dup118 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109022"), | |
}); | |
var dup119 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305009"), | |
}); | |
var dup120 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("332004"), | |
}); | |
var dup121 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1501000000"), | |
}); | |
var dup122 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611303"), | |
}); | |
var dup123 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Mate%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{info} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup124 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Matehas a %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{space}has a %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup125 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603010000"), | |
}); | |
var dup126 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105047"), | |
}); | |
var dup127 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup128 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} Java applet started. %{info}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup129 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716043"), | |
}); | |
var dup130 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720040"), | |
}); | |
var dup131 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1604000000"), | |
}); | |
var dup132 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721002"), | |
}); | |
var dup133 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104003"), | |
}); | |
var dup134 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746006"), | |
}); | |
var dup135 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1501020000"), | |
}); | |
var dup136 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("731001"), | |
}); | |
var dup137 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1002000000"), | |
}); | |
var dup138 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("404102"), | |
}); | |
var dup139 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " PDM %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " ASDM %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup140 = match({ | |
dissect: { | |
tokenizer: " session number %{sessionid} from %{hostip} started", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup141 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050100"), | |
}); | |
var dup142 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606001"), | |
}); | |
var dup143 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("613003"), | |
}); | |
var dup144 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}', IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup145 = match({ | |
dissect: { | |
tokenizer: ", IKE Initiator: %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup146 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Rekeying %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " New %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup147 = match({ | |
dissect: { | |
tokenizer: " Phase %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup148 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " 1 %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " 2 %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup149 = match({ | |
dissect: { | |
tokenizer: ", Intf %{fld1}, IKE Peer %{fld2} %{info}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var dup150 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713041"), | |
}); | |
var dup151 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup152 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Rekeying %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " New %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup153 = match({ | |
dissect: { | |
tokenizer: " Phase 2, Intf %{fld1}, IKE Peer %{fld2} %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup154 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713041:01"), | |
}); | |
var dup155 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718046"), | |
}); | |
var dup156 = match({ | |
dissect: { | |
tokenizer: "%{process}:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup157 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Session=%{sessionid}, Added %{hostip} to standby %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Added %{hostip} to standby %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup158 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737029"), | |
}); | |
var dup159 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " authentication %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " authorization %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " accounting %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup160 = match({ | |
dissect: { | |
tokenizer: " Successful : server = %{hostip} : user = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup161 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup162 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113004"), | |
}); | |
var dup163 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324001"), | |
}); | |
var dup164 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403501"), | |
}); | |
var dup165 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713177"), | |
}); | |
var dup166 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1401050100"), | |
}); | |
var dup167 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("309002"), | |
}); | |
var dup168 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001020100"), | |
}); | |
var dup169 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400015"), | |
}); | |
var dup170 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1002020000"), | |
}); | |
var dup171 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400031"), | |
}); | |
var dup172 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("733103"), | |
}); | |
var dup173 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup174 = match({ | |
dissect: { | |
tokenizer: "@%{saddr} Accessed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup175 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " JAVA URL %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " URL %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup176 = match({ | |
dissect: { | |
tokenizer: " %{daddr}: %{url}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup177 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204010000"), | |
}); | |
var dup178 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304001"), | |
}); | |
var dup179 = match({ | |
dissect: { | |
tokenizer: "%{saddr} Accessed %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup180 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " JAVA URL %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " URL %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup181 = match({ | |
dissect: { | |
tokenizer: " %{daddr}: %{url}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup182 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304001:01"), | |
}); | |
var dup183 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1303000000"), | |
}); | |
var dup184 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109021"), | |
}); | |
var dup185 = match({ | |
dissect: { | |
tokenizer: "Login permitted from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup186 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{username}\u003e %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \"%{username}\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup187 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605005"), | |
}); | |
var dup188 = match({ | |
dissect: { | |
tokenizer: "%{result} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup189 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605005:01"), | |
}); | |
var dup190 = match({ | |
dissect: { | |
tokenizer: "Removing v1 %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup191 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " primary %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " secondary %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup192 = match({ | |
dissect: { | |
tokenizer: " PDP Context with TID %{fld1} from GGSN %{fld2} and SGSN %{fld3}, Reason: %{event_description}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup193 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701000000"), | |
}); | |
var dup194 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617002"), | |
}); | |
var dup195 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("617002:01"), | |
}); | |
var dup196 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715050"), | |
}); | |
var dup197 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737019"), | |
}); | |
var dup198 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737019:01"), | |
}); | |
var dup199 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1207010200"), | |
}); | |
var dup200 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108003"), | |
}); | |
var dup201 = match({ | |
dissect: { | |
tokenizer: "Terminating %{network_service} connection; malicious pattern detected in the %{space} mail address from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}. %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup202 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Mail Address %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Data %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup203 = match({ | |
dissect: { | |
tokenizer: " :%{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup204 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1207010200"), | |
}); | |
var dup205 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108003:01"), | |
}); | |
var dup206 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108006"), | |
}); | |
var dup207 = match({ | |
dissect: { | |
tokenizer: "%{service}: An %{direction} SA (SPI= %{fld1}) between %{saddr} and %{daddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup208 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (user=%{username}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup209 = match({ | |
dissect: { | |
tokenizer: " %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup210 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602304"), | |
}); | |
var dup211 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105020"), | |
}); | |
var dup212 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602102"), | |
}); | |
var dup213 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr} , %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup214 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} duration from %{fld1} to %{fld2} seconds%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup215 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613040200"), | |
}); | |
var dup216 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713075"), | |
}); | |
var dup217 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} ,%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup218 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} from %{fld1} to %{fld2} seconds %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup219 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713075:01"), | |
}); | |
var dup220 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1304000000"), | |
}); | |
var dup221 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717025"), | |
}); | |
var dup222 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801020000"), | |
}); | |
var dup223 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722034"), | |
}); | |
var dup224 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} (%{fld1})\u003e %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}\u003e %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup225 = match({ | |
dissect: { | |
tokenizer: " Received large packet %{bytes} (%{info}).", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup226 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722035"), | |
}); | |
var dup227 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001030200"), | |
}); | |
var dup228 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("406002"), | |
}); | |
var dup229 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("620002:01"), | |
}); | |
var dup230 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("620002"), | |
}); | |
var dup231 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752015"), | |
}); | |
var dup232 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701070000"), | |
}); | |
var dup233 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611319"), | |
}); | |
var dup234 = match({ | |
dissect: { | |
tokenizer: "New group policy added: name:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup235 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1502030000"), | |
}); | |
var dup236 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502111"), | |
}); | |
var dup237 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611322"), | |
}); | |
var dup238 = match({ | |
dissect: { | |
tokenizer: "%{process}: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup239 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Session=%{sessionid}, Freeing%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Freeing%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup240 = match({ | |
dissect: { | |
tokenizer: " DHCP address %{hostip}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup241 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737015"), | |
}); | |
var dup242 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400001"), | |
}); | |
var dup243 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603020000"), | |
}); | |
var dup244 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210022"), | |
}); | |
var dup245 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415001"), | |
}); | |
var dup246 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("506001"), | |
}); | |
var dup247 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720021"), | |
}); | |
var dup248 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201001"), | |
}); | |
var dup249 = match({ | |
dissect: { | |
tokenizer: "Dynamic %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup250 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Filter %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " filter %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup251 = match({ | |
dissect: { | |
tokenizer: " dropped blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{fld3}/%{mask} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup252 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338008"), | |
}); | |
var dup253 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001030300"), | |
}); | |
var dup254 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("405002"), | |
}); | |
var dup255 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444102"), | |
}); | |
var dup256 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1501040000"), | |
}); | |
var dup257 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109024"), | |
}); | |
var dup258 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1803010000"), | |
}); | |
var dup259 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106016"), | |
}); | |
var dup260 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106016:01"), | |
}); | |
var dup261 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1607000000"), | |
}); | |
var dup262 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338310"), | |
}); | |
var dup263 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720046"), | |
}); | |
var dup264 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737003:01"), | |
}); | |
var dup265 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737003"), | |
}); | |
var dup266 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737026"), | |
}); | |
var dup267 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737026:01"), | |
}); | |
var dup268 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1702030000"), | |
}); | |
var dup269 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105040"), | |
}); | |
var dup270 = match({ | |
dissect: { | |
tokenizer: "Authentication failed for admin user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup271 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}. Interactive challenge processing is not supported for %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup272 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " administrative %{protocol} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{protocol} %{info} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup273 = match({ | |
dissect: { | |
tokenizer: " connections%{}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup274 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109033:01"), | |
}); | |
var dup275 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup276 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109033"), | |
}); | |
var dup277 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720063"), | |
}); | |
var dup278 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} denied %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup279 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{protocol} for user '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{protocol} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup280 = match({ | |
dissect: { | |
tokenizer: "%{sinterface}/%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup281 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}(%{sport}) -\u003e %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr} %{sport} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup282 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}/%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup283 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}(%{dport}) hit-cnt %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr} %{dport} hit-cnt %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup284 = match({ | |
dissect: { | |
tokenizer: "%{dclass_counter1} %{info}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup285 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803000000"), | |
}); | |
var dup286 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106102:02"), | |
}); | |
var dup287 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} permitted %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup288 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020000"), | |
}); | |
var dup289 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106102:01"), | |
}); | |
var dup290 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106102"), | |
}); | |
var dup291 = match({ | |
dissect: { | |
tokenizer: "AAA group policy for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup292 = match({ | |
dissect: { | |
tokenizer: " is being set to %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup293 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{policyname}. %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{policyname} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup294 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113003"), | |
}); | |
var dup295 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709006"), | |
}); | |
var dup296 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725011"), | |
}); | |
var dup297 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105034"), | |
}); | |
var dup298 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105034:01"), | |
}); | |
var dup299 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305004"), | |
}); | |
var dup300 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("311004"), | |
}); | |
var dup301 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400020"), | |
}); | |
var dup302 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718005"), | |
}); | |
var dup303 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750007"), | |
}); | |
var dup304 = match({ | |
dissect: { | |
tokenizer: "Rebuilt %{protocol} connection %{connectionid} for %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup305 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " faddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " foreign_address %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup306 = match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup307 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " gaddr %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " global_address %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup308 = match({ | |
dissect: { | |
tokenizer: " %{hostip}/%{network_port} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup309 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " laddr %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " local_address %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup310 = match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup311 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302009:01"), | |
}); | |
var dup312 = match({ | |
dissect: { | |
tokenizer: "Rebuild connection for %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup313 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302009"), | |
}); | |
var dup314 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Received %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Receive %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup315 = match({ | |
dissect: { | |
tokenizer: " invalid packet: %{result} from %{saddr}, %{interface}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup316 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1703000000"), | |
}); | |
var dup317 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409003"), | |
}); | |
var dup318 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Adding %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Removing %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup319 = match({ | |
dissect: { | |
tokenizer: " tracked route %{info}, distance %{dclass_counter1}, table %{filename}, on interface %{interface}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup320 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("622001"), | |
}); | |
var dup321 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup322 = match({ | |
dissect: { | |
tokenizer: " %{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup323 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715049:01"), | |
}); | |
var dup324 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup325 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715049"), | |
}); | |
var dup326 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} serial number: %{serial_number}, subject name: %{cert_subject}, issuer name: %{dn}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup327 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613030100"), | |
}); | |
var dup328 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717009"), | |
}); | |
var dup329 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "IKEv1%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "IKEv2%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup330 = match({ | |
dissect: { | |
tokenizer: " was successful at setting up a tunnel. Map Tag = %{fld1}. Map Sequence Number = %{fld2}.", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup331 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752016"), | |
}); | |
var dup332 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Auth from %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Auth %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup333 = match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} to %{daddr}/%{dport} failed (server %{hostip} failed) on interface %{sinterface}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup334 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1303000000"), | |
}); | |
var dup335 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109002"), | |
}); | |
var dup336 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1204000000"), | |
}); | |
var dup337 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304006"), | |
}); | |
var dup338 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1610000000"), | |
}); | |
var dup339 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505006"), | |
}); | |
var dup340 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("615002"), | |
}); | |
var dup341 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1613040200"), | |
}); | |
var dup342 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713073"), | |
}); | |
var dup343 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603010000"), | |
}); | |
var dup344 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("101004"), | |
}); | |
var dup345 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313003"), | |
}); | |
var dup346 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313003:01"), | |
}); | |
var dup347 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324002"), | |
}); | |
var dup348 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715075"), | |
}); | |
var dup349 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1401050200"), | |
}); | |
var dup350 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307004"), | |
}); | |
var dup351 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338305"), | |
}); | |
var dup352 = match({ | |
dissect: { | |
tokenizer: ", %{action}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup353 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715063"), | |
}); | |
var dup354 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718056"), | |
}); | |
var dup355 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109023"), | |
}); | |
var dup356 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109023:01"), | |
}); | |
var dup357 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801020100"), | |
}); | |
var dup358 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602301"), | |
}); | |
var dup359 = match({ | |
dissect: { | |
tokenizer: "TunnelGroup \u003c\u003c %{group_object} \u003e GroupPolicy \u003c\u003c %{group} \u003e User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup360 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} (%{fld2}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup361 = match({ | |
dissect: { | |
tokenizer: " \u003e No address available for SVC connection%{}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup362 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722020"), | |
}); | |
var dup363 = match({ | |
dissect: { | |
tokenizer: "identity doesn't match negotiated identity %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup364 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " ip %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (ip) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup365 = match({ | |
dissect: { | |
tokenizer: " dest_addr=%{daddr}, src_addr=%{saddr}, prot= %{protocol}, (ident) %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup366 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402103"), | |
}); | |
var dup367 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201006"), | |
}); | |
var dup368 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210003"), | |
}); | |
var dup369 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603040000"), | |
}); | |
var dup370 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("213002"), | |
}); | |
var dup371 = match({ | |
dissect: { | |
tokenizer: "Built %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup372 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "backup%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "director%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup373 = match({ | |
dissect: { | |
tokenizer: " stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{fld1}) to %{dinterface}:%{daddr}/%{dport} (%{fld2})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup374 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302026"), | |
}); | |
var dup375 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321001"), | |
}); | |
var dup376 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321001:01"), | |
}); | |
var dup377 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324007"), | |
}); | |
var dup378 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1703000000"), | |
}); | |
var dup379 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409011"), | |
}); | |
var dup380 = match({ | |
dissect: { | |
tokenizer: "Too many connections on %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup381 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " static %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " xlate %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup382 = match({ | |
dissect: { | |
tokenizer: " %{hostip}! %{fld1} %{fld2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup383 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201002"), | |
}); | |
var dup384 = match({ | |
dissect: { | |
tokenizer: "Too many %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup385 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " TCP %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " tcp %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup386 = match({ | |
dissect: { | |
tokenizer: " connections on %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup387 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " static %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " xlate %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup388 = match({ | |
dissect: { | |
tokenizer: " %{hostip}! %{fld1} %{fld2}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup389 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201002:01"), | |
}); | |
var dup390 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713128"), | |
}); | |
var dup391 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713128:01"), | |
}); | |
var dup392 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713257"), | |
}); | |
var dup393 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup394 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} (seq number %{fld1}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup395 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715036:01"), | |
}); | |
var dup396 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup397 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715036"), | |
}); | |
var dup398 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701010000"), | |
}); | |
var dup399 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("420004"), | |
}); | |
var dup400 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr} , %{action}:%{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup401 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713034"), | |
}); | |
var dup402 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713034:01"), | |
}); | |
var dup403 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("776252"), | |
}); | |
var dup404 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("609001"), | |
}); | |
var dup405 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400021"), | |
}); | |
var dup406 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720062"), | |
}); | |
var dup407 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752006"), | |
}); | |
var dup408 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103007"), | |
}); | |
var dup409 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("504001:01"), | |
}); | |
var dup410 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("504001"), | |
}); | |
var dup411 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{hostip}\u003e User ACL \u003c\u003c%{info}\u003e from AAA ignored, AV-PAIR ACL used instead", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup412 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204020000"), | |
}); | |
var dup413 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113034"), | |
}); | |
var dup414 = match({ | |
dissect: { | |
tokenizer: "SSH login session failed from %{saddr} on (%{fld1} attempts) on interface %{interface} by user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup415 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315003"), | |
}); | |
var dup416 = match({ | |
dissect: { | |
tokenizer: "SSH login session failed from %{saddr}(%{fld1} attempts) on interface %{interface} by user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup417 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"%{username}\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup418 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315003:01"), | |
}); | |
var dup419 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("616001:01"), | |
}); | |
var dup420 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("616001"), | |
}); | |
var dup421 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}' %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup422 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action} for peer %{peer}. Reason: %{result} %{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup423 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713050"), | |
}); | |
var dup424 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("316001"), | |
}); | |
var dup425 = match({ | |
dissect: { | |
tokenizer: "Cannot %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup426 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " create %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "creat %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup427 = match({ | |
dissect: { | |
tokenizer: " more isakmp peers, exceeding the limit of %{fld1} peers", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup428 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("316001:01"), | |
}); | |
var dup429 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("113022"), | |
}); | |
var dup430 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801030000"), | |
}); | |
var dup431 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302002"), | |
}); | |
var dup432 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302002:01"), | |
}); | |
var dup433 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "backup%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "director%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "forwarder%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup434 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302024"), | |
}); | |
var dup435 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713127"), | |
}); | |
var dup436 = match({ | |
dissect: { | |
tokenizer: ",%{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup437 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701030000"), | |
}); | |
var dup438 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713213"), | |
}); | |
var dup439 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718072"), | |
}); | |
var dup440 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("107002"), | |
}); | |
var dup441 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Authentication: successful, group = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup442 = match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{group}\u003e %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup443 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " User %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " user = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup444 = match({ | |
dissect: { | |
tokenizer: " %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup445 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{username}\u003e %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup446 = match({ | |
dissect: { | |
tokenizer: " %{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var dup447 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " IP = %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
]); | |
var dup448 = match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{saddr}\u003e%{p7}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var dup449 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " , Session Type %{p8}", | |
field: "nwparser.p7", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{space}Authentication: successful, Session Type %{p8}", | |
field: "nwparser.p7", | |
}, | |
}), | |
]); | |
var dup450 = match({ | |
dissect: { | |
tokenizer: ": %{network_service}", | |
field: "nwparser.p8", | |
}, | |
}); | |
var dup451 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716038"), | |
}); | |
var dup452 = match({ | |
dissect: { | |
tokenizer: " %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup453 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " permitted %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " monitored %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup454 = match({ | |
dissect: { | |
tokenizer: " blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{fld3}/%{mask} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup455 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338003"), | |
}); | |
var dup456 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402117"), | |
}); | |
var dup457 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714003"), | |
}); | |
var dup458 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715041"), | |
}); | |
var dup459 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Mate license (%{fld1} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup460 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Contexts %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " contexts %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Enabled %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup461 = match({ | |
dissect: { | |
tokenizer: ") is not compatible with my license (%{fld2} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup462 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Contexts %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " contexts %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Disabled %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup463 = match({ | |
dissect: { | |
tokenizer: ").%{}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup464 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1702030000"), | |
}); | |
var dup465 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105045"), | |
}); | |
var dup466 = match({ | |
dissect: { | |
tokenizer: "User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup467 = match({ | |
dissect: { | |
tokenizer: " executed %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup468 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " the command %{action} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " the '%{action}' command %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup469 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111008"), | |
}); | |
var dup470 = match({ | |
dissect: { | |
tokenizer: "Parsing downloaded ACL: WARNING: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup471 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{listnum}\u003e %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{listnum}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{listnum} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup472 = match({ | |
dissect: { | |
tokenizer: " %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup473 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501050100"), | |
}); | |
var dup474 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109029"), | |
}); | |
var dup475 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1501050100"), | |
}); | |
var dup476 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109029:01"), | |
}); | |
var dup477 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("604104"), | |
}); | |
var dup478 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}', IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup479 = match({ | |
dissect: { | |
tokenizer: " %{action}:%{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup480 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715064"), | |
}); | |
var dup481 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717026"), | |
}); | |
var dup482 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718022"), | |
}); | |
var dup483 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801030100"), | |
}); | |
var dup484 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722047"), | |
}); | |
var dup485 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750006"), | |
}); | |
var dup486 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1204020000"), | |
}); | |
var dup487 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713203"), | |
}); | |
var dup488 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409002"), | |
}); | |
var dup489 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1801010000"), | |
}); | |
var dup490 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409005"), | |
}); | |
var dup491 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409009"), | |
}); | |
var dup492 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713122"), | |
}); | |
var dup493 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717024"), | |
}); | |
var dup494 = match({ | |
dissect: { | |
tokenizer: "IP %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup495 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} (%{fld1}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup496 = match({ | |
dissect: { | |
tokenizer: " %{event_description}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup497 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722001"), | |
}); | |
var dup498 = match({ | |
dissect: { | |
tokenizer: " \u003e %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup499 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " TCP SVC %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " UDP SVC %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " SVC %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup500 = match({ | |
dissect: { | |
tokenizer: " connection established %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup501 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " without %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " with %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
]); | |
var dup502 = match({ | |
dissect: { | |
tokenizer: " %{obj_type} compression", | |
field: "nwparser.p7", | |
}, | |
}); | |
var dup503 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722022"), | |
}); | |
var dup504 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("401001"), | |
}); | |
var dup505 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710006"), | |
}); | |
var dup506 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("303004"), | |
}); | |
var dup507 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} is not a recognized %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup508 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " type. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " type %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup509 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("413003"), | |
}); | |
var dup510 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr}, Pitcher: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr}, Pitcher: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, Pitcher: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup511 = match({ | |
dissect: { | |
tokenizer: " %{action}, spi %{dst_spi}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup512 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715077"), | |
}); | |
var dup513 = match({ | |
dissect: { | |
tokenizer: "Pitcher: %{result} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup514 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " , spi %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " spi %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup515 = match({ | |
dissect: { | |
tokenizer: " %{dst_spi}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup516 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715077:01"), | |
}); | |
var dup517 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318003"), | |
}); | |
var dup518 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup519 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " deleted %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " delete %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup520 = match({ | |
dissect: { | |
tokenizer: " received (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup521 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702201:01"), | |
}); | |
var dup522 = match({ | |
dissect: { | |
tokenizer: " received (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup523 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702201"), | |
}); | |
var dup524 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713218"), | |
}); | |
var dup525 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318001"), | |
}); | |
var dup526 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup527 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} for client address: %{fld1} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup528 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701010000"), | |
}); | |
var dup529 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713204"), | |
}); | |
var dup530 = match({ | |
dissect: { | |
tokenizer: " WebVPN Unable to create session%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup531 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716007"), | |
}); | |
var dup532 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1401060000"), | |
}); | |
var dup533 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746012"), | |
}); | |
var dup534 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746012:01"), | |
}); | |
var dup535 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup536 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{result}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup537 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805000000"), | |
}); | |
var dup538 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713171"), | |
}); | |
var dup539 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files (%{fld2}) allowed have been written to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup540 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{filename}\u003e %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{filename}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{filename} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup541 = match({ | |
dissect: { | |
tokenizer: ". Please archive \u0026 remove files from %{fld3} if you want more Crypto Archive Files saved", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup542 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402127"), | |
}); | |
var dup543 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611317"), | |
}); | |
var dup544 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("701002"), | |
}); | |
var dup545 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105044"), | |
}); | |
var dup546 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737013"), | |
}); | |
var dup547 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109010"), | |
}); | |
var dup548 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("214001"), | |
}); | |
var dup549 = match({ | |
dissect: { | |
tokenizer: " blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup550 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338001"), | |
}); | |
var dup551 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105003"), | |
}); | |
var dup552 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} session terminated: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup553 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716002"), | |
}); | |
var dup554 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737012"), | |
}); | |
var dup555 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737012:01"), | |
}); | |
var dup556 = match({ | |
dissect: { | |
tokenizer: "Address %{hostip} (%{web_domain}) %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup557 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " timed out. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " timed out, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup558 = match({ | |
dissect: { | |
tokenizer: " Removing rule%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup559 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338303"), | |
}); | |
var dup560 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444109"), | |
}); | |
var dup561 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324005"), | |
}); | |
var dup562 = match({ | |
dissect: { | |
tokenizer: "Orderly reload started at %{fld1} by %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup563 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{username} from %{protocol} (remote %{saddr})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup564 = match({ | |
dissect: { | |
tokenizer: ". Reload reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup565 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199006"), | |
}); | |
var dup566 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1803020000"), | |
}); | |
var dup567 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313001"), | |
}); | |
var dup568 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("500002"), | |
}); | |
var dup569 = match({ | |
dissect: { | |
tokenizer: "%{service} daemon: Login %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup570 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " failed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " failure %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup571 = match({ | |
dissect: { | |
tokenizer: " from %{saddr} for user %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup572 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"%{username}\" %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup573 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401030000"), | |
}); | |
var dup574 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605003"), | |
}); | |
var dup575 = match({ | |
dissect: { | |
tokenizer: "%{action} : reason = %{result} : server = %{hostip} : user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup576 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113016"), | |
}); | |
var dup577 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752003"), | |
}); | |
var dup578 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Session is being torn down. Reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup579 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030000"), | |
}); | |
var dup580 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259"), | |
}); | |
var dup581 = match({ | |
dissect: { | |
tokenizer: ", Session is being torn down. Reason: %{result}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup582 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259:01"), | |
}); | |
var dup583 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259:02"), | |
}); | |
var dup584 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400009"), | |
}); | |
var dup585 = match({ | |
dissect: { | |
tokenizer: "User priv level changed: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup586 = match({ | |
dissect: { | |
tokenizer: " From: %{fld1} To: %{fld2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup587 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020300"), | |
}); | |
var dup588 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502103"), | |
}); | |
var dup589 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602302"), | |
}); | |
var dup590 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305003"), | |
}); | |
var dup591 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305003:01"), | |
}); | |
var dup592 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505003"), | |
}); | |
var dup593 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313004"), | |
}); | |
var dup594 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313004:01"), | |
}); | |
var dup595 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("213001"), | |
}); | |
var dup596 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400008"), | |
}); | |
var dup597 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001020200"), | |
}); | |
var dup598 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400030"), | |
}); | |
var dup599 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("113020"), | |
}); | |
var dup600 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199909"), | |
}); | |
var dup601 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210008"), | |
}); | |
var dup602 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1}, application reloading \"%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Module ips, application reloading \"%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup603 = match({ | |
dissect: { | |
tokenizer: "%{application}\", %{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup604 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1702010000"), | |
}); | |
var dup605 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505013"), | |
}); | |
var dup606 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718015"), | |
}); | |
var dup607 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715071"), | |
}); | |
var dup608 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717041"), | |
}); | |
var dup609 = match({ | |
dissect: { | |
tokenizer: "AAA retrieved user specific group policy %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup610 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (%{policyname}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{policyname} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup611 = match({ | |
dissect: { | |
tokenizer: " for user = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup612 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113011"), | |
}); | |
var dup613 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("326001"), | |
}); | |
var dup614 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Shun added: %{result} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Shuns added %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup615 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401002"), | |
}); | |
var dup616 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718051"), | |
}); | |
var dup617 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1} experienced a data channel communication failure, data channel is DOWN%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Module ips experienced a data channel communication failure, data channel is DOWN%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup618 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("323006"), | |
}); | |
var dup619 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737006"), | |
}); | |
var dup620 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737006:01"), | |
}); | |
var dup621 = match({ | |
dissect: { | |
tokenizer: "Begin configuration: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup622 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Console %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " console %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup623 = match({ | |
dissect: { | |
tokenizer: " reading from %{device}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup624 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111007"), | |
}); | |
var dup625 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1608000000"), | |
}); | |
var dup626 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("421006"), | |
}); | |
var dup627 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720028"), | |
}); | |
var dup628 = match({ | |
dissect: { | |
tokenizer: "Unable to install ACL '%{listnum}', downloaded for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup629 = match({ | |
dissect: { | |
tokenizer: "; Error in ACE: '%{result}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup630 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109032"), | |
}); | |
var dup631 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318007"), | |
}); | |
var dup632 = match({ | |
dissect: { | |
tokenizer: " %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup633 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " action %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " monitored %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup634 = match({ | |
dissect: { | |
tokenizer: " whitelisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{hostip} resolved from %{listnum} list: %{info}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup635 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338104"), | |
}); | |
var dup636 = match({ | |
dissect: { | |
tokenizer: "Login denied from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup637 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605004"), | |
}); | |
var dup638 = match({ | |
dissect: { | |
tokenizer: "%{action} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup639 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605004:01"), | |
}); | |
var dup640 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302304"), | |
}); | |
var dup641 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199907"), | |
}); | |
var dup642 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " LEAVING %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Leaving %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup643 = match({ | |
dissect: { | |
tokenizer: " ALLOW mode, URL Server%{}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup644 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304008"), | |
}); | |
var dup645 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400035"), | |
}); | |
var dup646 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713222"), | |
}); | |
var dup647 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("120008"), | |
}); | |
var dup648 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{dst_spi}, sequence number= %{fld2}) from %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup649 = match({ | |
dissect: { | |
tokenizer: " to %{daddr} that failed anti-replay checking.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup650 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402119"), | |
}); | |
var dup651 = match({ | |
dissect: { | |
tokenizer: "ISAKMP session %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup652 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " connected %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " connect %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup653 = match({ | |
dissect: { | |
tokenizer: " (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup654 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602202:01"), | |
}); | |
var dup655 = match({ | |
dissect: { | |
tokenizer: " (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup656 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602202"), | |
}); | |
var dup657 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} session started", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup658 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716001"), | |
}); | |
var dup659 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("337009"), | |
}); | |
var dup660 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321002"), | |
}); | |
var dup661 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("323001"), | |
}); | |
var dup662 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1611000000"), | |
}); | |
var dup663 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505001"), | |
}); | |
var dup664 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup665 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}', IP = %{saddr} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup666 = match({ | |
dissect: { | |
tokenizer: ", %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup667 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715022"), | |
}); | |
var dup668 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746016"), | |
}); | |
var dup669 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105011"), | |
}); | |
var dup670 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505004"), | |
}); | |
var dup671 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713035"), | |
}); | |
var dup672 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713035:01"), | |
}); | |
var dup673 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e SVC Session Termination:%{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup674 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722030"), | |
}); | |
var dup675 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304007"), | |
}); | |
var dup676 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("203001"), | |
}); | |
var dup677 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400018"), | |
}); | |
var dup678 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722005"), | |
}); | |
var dup679 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737014"), | |
}); | |
var dup680 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1601000000"), | |
}); | |
var dup681 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103005"), | |
}); | |
var dup682 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715048"), | |
}); | |
var dup683 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722029"), | |
}); | |
var dup684 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("769001"), | |
}); | |
var dup685 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701060000"), | |
}); | |
var dup686 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611318"), | |
}); | |
var dup687 = match({ | |
dissect: { | |
tokenizer: "Unable to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup688 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Pre-allocate %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Preallocate %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup689 = match({ | |
dissect: { | |
tokenizer: " %{service} Call Signalling Connection for %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup690 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " foreign_address %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " faddr %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup691 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup692 = match({ | |
dissect: { | |
tokenizer: " to %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup693 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " local_address %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " laddr %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
]); | |
var dup694 = match({ | |
dissect: { | |
tokenizer: " %{p8}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var dup695 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport} %{p9}", | |
field: "nwparser.p8", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{daddr} %{p9}", | |
field: "nwparser.p8", | |
}, | |
}), | |
]); | |
var dup696 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405101"), | |
}); | |
var dup697 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("702207"), | |
}); | |
var dup698 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("702207:01"), | |
}); | |
var dup699 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713123:01"), | |
}); | |
var dup700 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713123"), | |
}); | |
var dup701 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400019"), | |
}); | |
var dup702 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710001"), | |
}); | |
var dup703 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("213004"), | |
}); | |
var dup704 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action}:%{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup705 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713025"), | |
}); | |
var dup706 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713025:01"), | |
}); | |
var dup707 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713170"), | |
}); | |
var dup708 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718045"), | |
}); | |
var dup709 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721001"), | |
}); | |
var dup710 = match({ | |
dissect: { | |
tokenizer: "DCERPC %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup711 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " unknown %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " request %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup712 = match({ | |
dissect: { | |
tokenizer: " non-standard major version %{version} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup713 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("508001"), | |
}); | |
var dup714 = match({ | |
dissect: { | |
tokenizer: "L2TP Tunnel %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup715 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " deleted, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " deleted %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup716 = match({ | |
dissect: { | |
tokenizer: " tunnel_id = %{fld1} remote_peer_ip =%{saddr}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup717 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603107"), | |
}); | |
var dup718 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611310"), | |
}); | |
var dup719 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("702301"), | |
}); | |
var dup720 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106100"), | |
}); | |
var dup721 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup722 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " est-allowed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " permitted %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup723 = match({ | |
dissect: { | |
tokenizer: " %{protocol} %{sinterface}/%{saddr}(%{sport})(%{domain}\\%{username}) -\u003e %{dinterface}/%{daddr}%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup724 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "(%{dport})(%{fld7})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dport})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup725 = match({ | |
dissect: { | |
tokenizer: " hit-cnt %{dclass_counter1} %{fld6}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup726 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:01"), | |
}); | |
var dup727 = match({ | |
dissect: { | |
tokenizer: " %{protocol} %{sinterface}/%{saddr}(%{sport})(%{fld5}) -\u003e %{dinterface}/%{daddr}%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup728 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "(%{dport})(%{domain}\\%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dport})(%{fld7})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dport})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup729 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:02"), | |
}); | |
var dup730 = match({ | |
dissect: { | |
tokenizer: " %{protocol} %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup731 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:03"), | |
}); | |
var dup732 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("412001"), | |
}); | |
var dup733 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505014"), | |
}); | |
var dup734 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307002"), | |
}); | |
var dup735 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302013:07"), | |
}); | |
var dup736 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup737 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{stransport})(%{domain}\\%{fld3})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{stransport}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup738 = match({ | |
dissect: { | |
tokenizer: "to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}) %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup739 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup740 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013"), | |
}); | |
var dup741 = match({ | |
dissect: { | |
tokenizer: "Built outbound %{protocol} connection %{connectionid} for %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup742 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup743 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:01"), | |
}); | |
var dup744 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{stransport})(%{domain}\\%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{stransport}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup745 = match({ | |
dissect: { | |
tokenizer: " to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup746 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:02"), | |
}); | |
var dup747 = match({ | |
dissect: { | |
tokenizer: "Built outbound %{protocol} connection %{connectionid} for %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup748 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{fld1} :%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface} :%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup749 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}) to %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup750 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sinterface}:%{fld2}:%{saddr}/%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sinterface}:%{saddr}/%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup751 = match({ | |
dissect: { | |
tokenizer: "%{sport} (%{stransaddr}/%{stransport})", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup752 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:03"), | |
}); | |
var dup753 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302013:04"), | |
}); | |
var dup754 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302013:05"), | |
}); | |
var dup755 = match({ | |
dissect: { | |
tokenizer: "Built outbound %{protocol} connection %{connectionid} for %{dinterface} :%{daddr}/%{dport} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup756 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "(%{dtransaddr}/%{dtransport})(%{domain}\\%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dtransaddr}/%{dtransport})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup757 = match({ | |
dissect: { | |
tokenizer: " to %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup758 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:06"), | |
}); | |
var dup759 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302013:09"), | |
}); | |
var dup760 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302013:08"), | |
}); | |
var dup761 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1701030000"), | |
}); | |
var dup762 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444005"), | |
}); | |
var dup763 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713107"), | |
}); | |
var dup764 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720025"), | |
}); | |
var dup765 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Session=%{sessionid}, Unable%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Unable%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup766 = match({ | |
dissect: { | |
tokenizer: " to remove %{saddr} from standby: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup767 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1604000000"), | |
}); | |
var dup768 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737032"), | |
}); | |
var dup769 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " PIX reload %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Reload %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup770 = match({ | |
dissect: { | |
tokenizer: " command executed from %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup771 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{process} (remote %{hostip}). %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip}. %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup772 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199001:01"), | |
}); | |
var dup773 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199001"), | |
}); | |
var dup774 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400000"), | |
}); | |
var dup775 = match({ | |
dissect: { | |
tokenizer: " session number %{sessionid} from %{hostip} ended", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup776 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606002"), | |
}); | |
var dup777 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713074"), | |
}); | |
var dup778 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr} , %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup779 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} from %{fld1} to %{fld2} kbs %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup780 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713076"), | |
}); | |
var dup781 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722006"), | |
}); | |
var dup782 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108002"), | |
}); | |
var dup783 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("405104"), | |
}); | |
var dup784 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("420003"), | |
}); | |
var dup785 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup786 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " retransmission %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " retransmit %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup787 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702205:01"), | |
}); | |
var dup788 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702205"), | |
}); | |
var dup789 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup790 = match({ | |
dissect: { | |
tokenizer: " %{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup791 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715076"), | |
}); | |
var dup792 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("726001"), | |
}); | |
var dup793 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("733102"), | |
}); | |
var dup794 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001020300"), | |
}); | |
var dup795 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400048"), | |
}); | |
var dup796 = match({ | |
dissect: { | |
tokenizer: "%{action} : reason = %{result} : local database : user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup797 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{username} : user IP = %{saddr}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup798 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113015"), | |
}); | |
var dup799 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("216005"), | |
}); | |
var dup800 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403107"), | |
}); | |
var dup801 = match({ | |
dissect: { | |
tokenizer: "Dropped UDP DNS %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup802 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " reply %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " request %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup803 = match({ | |
dissect: { | |
tokenizer: " from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup804 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " packet %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " label %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " domain-name %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " compression pointer %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup805 = match({ | |
dissect: { | |
tokenizer: " length %{bytes} bytes exceeds %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup806 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "remaining packet length %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " configured %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " protocol %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " packet length %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup807 = match({ | |
dissect: { | |
tokenizer: " limit of %{fld2} bytes", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup808 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010000"), | |
}); | |
var dup809 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001"), | |
}); | |
var dup810 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}/%{sport} to %{daddr}/%{dport}; %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup811 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " packet %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " label %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup812 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " configured %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " protocol %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup813 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001:02"), | |
}); | |
var dup814 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("410001:03"), | |
}); | |
var dup815 = match({ | |
dissect: { | |
tokenizer: "UDP DNS packet dropped due to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup816 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " compression %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " domainname %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " label %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " packet %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup817 = match({ | |
dissect: { | |
tokenizer: " length check of %{bytes} bytes: actual length:%{fld11} bytes", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup818 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001:01"), | |
}); | |
var dup819 = match({ | |
dissect: { | |
tokenizer: "Line protocol on Interface %{interface} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup820 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " , %{result} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup821 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411001"), | |
}); | |
var dup822 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("604101"), | |
}); | |
var dup823 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 exchange %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup824 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " started %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " start %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup825 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702209:01"), | |
}); | |
var dup826 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702209"), | |
}); | |
var dup827 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106015"), | |
}); | |
var dup828 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106015:01"), | |
}); | |
var dup829 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup830 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713131"), | |
}); | |
var dup831 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713131:01"), | |
}); | |
var dup832 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105004"), | |
}); | |
var dup833 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("301001"), | |
}); | |
var dup834 = match({ | |
dissect: { | |
tokenizer: "User deleted from local dbase: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup835 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020100"), | |
}); | |
var dup836 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502102"), | |
}); | |
var dup837 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("613002"), | |
}); | |
var dup838 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("617004"), | |
}); | |
var dup839 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720002"), | |
}); | |
var dup840 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("101005"), | |
}); | |
var dup841 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722025"), | |
}); | |
var dup842 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400029"), | |
}); | |
var dup843 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710007"), | |
}); | |
var dup844 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715033"), | |
}); | |
var dup845 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717037"), | |
}); | |
var dup846 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("507001"), | |
}); | |
var dup847 = match({ | |
dissect: { | |
tokenizer: ", running '%{fld1}' from IP %{saddr}, executed '%{action}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup848 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401040000"), | |
}); | |
var dup849 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111010"), | |
}); | |
var dup850 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("212002"), | |
}); | |
var dup851 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400047"), | |
}); | |
var dup852 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} access GRANTED: %{url}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup853 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716003"), | |
}); | |
var dup854 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Console %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " console %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup855 = match({ | |
dissect: { | |
tokenizer: " end configuration: %{disposition}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup856 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111004"), | |
}); | |
var dup857 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199004"), | |
}); | |
var dup858 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1604010000"), | |
}); | |
var dup859 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("311002"), | |
}); | |
var dup860 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717006"), | |
}); | |
var dup861 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603030000"), | |
}); | |
var dup862 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105035"), | |
}); | |
var dup863 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("500003"), | |
}); | |
var dup864 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210006"), | |
}); | |
var dup865 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402123"), | |
}); | |
var dup866 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{hostip}\u003e Secure Desktop Results: %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup867 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1704010000"), | |
}); | |
var dup868 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("724004"), | |
}); | |
var dup869 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737005"), | |
}); | |
var dup870 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305005"), | |
}); | |
var dup871 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305005:01"), | |
}); | |
var dup872 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305005:02"), | |
}); | |
var dup873 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305005:03"), | |
}); | |
var dup874 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415014"), | |
}); | |
var dup875 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302022"), | |
}); | |
var dup876 = match({ | |
dissect: { | |
tokenizer: " stub %{protocol} connection for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup877 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302022:01"), | |
}); | |
var dup878 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("315005"), | |
}); | |
var dup879 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713149"), | |
}); | |
var dup880 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Session=%{sessionid}, DHCP%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " DHCP%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup881 = match({ | |
dissect: { | |
tokenizer: " request attempt %{dclass_counter1} succeeded", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup882 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737017"), | |
}); | |
var dup883 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201012"), | |
}); | |
var dup884 = match({ | |
dissect: { | |
tokenizer: " executed cmd:%{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup885 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111009"), | |
}); | |
var dup886 = match({ | |
dissect: { | |
tokenizer: "Unable to open AAA session. Session limit %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup887 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{fld1} reached. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " reached. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup888 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113001:01"), | |
}); | |
var dup889 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("113001"), | |
}); | |
var dup890 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("416001"), | |
}); | |
var dup891 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1301000000"), | |
}); | |
var dup892 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611311"), | |
}); | |
var dup893 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("111002"), | |
}); | |
var dup894 = match({ | |
dissect: { | |
tokenizer: "Line protocol on %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup895 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Interface %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " interface %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup896 = match({ | |
dissect: { | |
tokenizer: " %{interface} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup897 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " , %{result} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup898 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603030000"), | |
}); | |
var dup899 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411002"), | |
}); | |
var dup900 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702204:01"), | |
}); | |
var dup901 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702204"), | |
}); | |
var dup902 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715060"), | |
}); | |
var dup903 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("216001"), | |
}); | |
var dup904 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106018"), | |
}); | |
var dup905 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302023"), | |
}); | |
var dup906 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302023:01"), | |
}); | |
var dup907 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("332003"), | |
}); | |
var dup908 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104001"), | |
}); | |
var dup909 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104001:01"), | |
}); | |
var dup910 = match({ | |
dissect: { | |
tokenizer: " blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup911 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338002"), | |
}); | |
var dup912 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403502"), | |
}); | |
var dup913 = match({ | |
dissect: { | |
tokenizer: "SSL server %{sinterface}:%{saddr}/%{sport} to %{daddr}/%{dport} requesting our device certificate for %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup914 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "authentication.%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "authentication%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup915 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725005:01"), | |
}); | |
var dup916 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725005"), | |
}); | |
var dup917 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid} Local pool request failed for tunnel-group '%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{process} Local pool request failed for tunnel-group '%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup918 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737007"), | |
}); | |
var dup919 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305012:02"), | |
}); | |
var dup920 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} %{protocol} translation from %{sinterface}:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup921 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{fld51}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup922 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305012"), | |
}); | |
var dup923 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport} to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup924 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface}(%{fld52}):%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup925 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305012:01"), | |
}); | |
var dup926 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1} data channel communication is %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Module ips data channel communication is %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup927 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "UP.%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "UP%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup928 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505011"), | |
}); | |
var dup929 = match({ | |
dissect: { | |
tokenizer: "Authentication failed for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup930 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup931 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109006"), | |
}); | |
var dup932 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302303"), | |
}); | |
var dup933 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("322001"), | |
}); | |
var dup934 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402106"), | |
}); | |
var dup935 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("101003"), | |
}); | |
var dup936 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304003"), | |
}); | |
var dup937 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305011:02"), | |
}); | |
var dup938 = match({ | |
dissect: { | |
tokenizer: "Built %{context} %{protocol} translation from %{sinterface}:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup939 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup940 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305011"), | |
}); | |
var dup941 = match({ | |
dissect: { | |
tokenizer: "Built %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport} to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup942 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305011:01"), | |
}); | |
var dup943 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713020"), | |
}); | |
var dup944 = match({ | |
dissect: { | |
tokenizer: " \u003e DTLS disabled: %{info}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup945 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722043"), | |
}); | |
var dup946 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("211003"), | |
}); | |
var dup947 = match({ | |
dissect: { | |
tokenizer: "ISAKMP DPD %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup948 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " timed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " time %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup949 = match({ | |
dissect: { | |
tokenizer: " out (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup950 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702203:01"), | |
}); | |
var dup951 = match({ | |
dissect: { | |
tokenizer: " out (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup952 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702203"), | |
}); | |
var dup953 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737030"), | |
}); | |
var dup954 = match({ | |
dissect: { | |
tokenizer: "User logged out: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup955 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401070000"), | |
}); | |
var dup956 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611103"), | |
}); | |
var dup957 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("724002"), | |
}); | |
var dup958 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713904:01"), | |
}); | |
var dup959 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713904:03"), | |
}); | |
var dup960 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713904:04"), | |
}); | |
var dup961 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713904:05"), | |
}); | |
var dup962 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713904"), | |
}); | |
var dup963 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr},%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "IP = %{saddr},%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup964 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:02"), | |
}); | |
var dup965 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718069"), | |
}); | |
var dup966 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1802000000"), | |
}); | |
var dup967 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746013"), | |
}); | |
var dup968 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746013:01"), | |
}); | |
var dup969 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302027"), | |
}); | |
var dup970 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402114"), | |
}); | |
var dup971 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444108"), | |
}); | |
var dup972 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444108:01"), | |
}); | |
var dup973 = match({ | |
dissect: { | |
tokenizer: ", %{action}:%{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup974 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713024"), | |
}); | |
var dup975 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715042"), | |
}); | |
var dup976 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720041"), | |
}); | |
var dup977 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109014"), | |
}); | |
var dup978 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318005"), | |
}); | |
var dup979 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713201"), | |
}); | |
var dup980 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713201:01"), | |
}); | |
var dup981 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718073"), | |
}); | |
var dup982 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737033"), | |
}); | |
var dup983 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713224"), | |
}); | |
var dup984 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307001"), | |
}); | |
var dup985 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307001:01"), | |
}); | |
var dup986 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Session=%{sessionid}, Removed%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Removed%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup987 = match({ | |
dissect: { | |
tokenizer: "%{hostip} from standby", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup988 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737031"), | |
}); | |
var dup989 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750002"), | |
}); | |
var dup990 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710005"), | |
}); | |
var dup991 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717036"), | |
}); | |
var dup992 = match({ | |
dissect: { | |
tokenizer: "Too many %{protocol} connections on %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup993 = match({ | |
dissect: { | |
tokenizer: " %{hostip}! %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup994 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201004:01"), | |
}); | |
var dup995 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201004"), | |
}); | |
var dup996 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415003"), | |
}); | |
var dup997 = match({ | |
dissect: { | |
tokenizer: " Session could not be established: session limit of maximum_sessions reached%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup998 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716023"), | |
}); | |
var dup999 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104002"), | |
}); | |
var dup1000 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104002:01"), | |
}); | |
var dup1001 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400017"), | |
}); | |
var dup1002 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713130"), | |
}); | |
var dup1003 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302001"), | |
}); | |
var dup1004 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302001:01"), | |
}); | |
var dup1005 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302001:02"), | |
}); | |
var dup1006 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302001:03"), | |
}); | |
var dup1007 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302001:04"), | |
}); | |
var dup1008 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444101"), | |
}); | |
var dup1009 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201005"), | |
}); | |
var dup1010 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713141"), | |
}); | |
var dup1011 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717033"), | |
}); | |
var dup1012 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106011"), | |
}); | |
var dup1013 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106011:01"), | |
}); | |
var dup1014 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106011:02"), | |
}); | |
var dup1015 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106011:03"), | |
}); | |
var dup1016 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("613001"), | |
}); | |
var dup1017 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611301"), | |
}); | |
var dup1018 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{event_description}. %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1019 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603040000"), | |
}); | |
var dup1020 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713235"), | |
}); | |
var dup1021 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713235:01"), | |
}); | |
var dup1022 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717030"), | |
}); | |
var dup1023 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("418001:02"), | |
}); | |
var dup1024 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("418001:03"), | |
}); | |
var dup1025 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: %{protocol} src %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1026 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sinterface}:%{saddr}/%{sport} (%{domain}\\%{username}) dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sinterface}:%{saddr}/%{sport} dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1027 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("418001:01"), | |
}); | |
var dup1028 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("418001"), | |
}); | |
var dup1029 = match({ | |
dissect: { | |
tokenizer: "Deny protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} by access-group %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1030 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \\\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1031 = match({ | |
dissect: { | |
tokenizer: " %{rule_group} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1032 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "\\\" %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \" %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1033 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023"), | |
}); | |
var dup1034 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} src %{sinterface}:%{saddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1035 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{domain}\\%{username}) dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{domain}) dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport} dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1036 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1037 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{dport}(%{dhost}) by access-group \"%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dport} by access-group \"%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1038 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:01"), | |
}); | |
var dup1039 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1040 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{dport}(%{domain}\\%{username}) by access-group %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dport}(%{fld2}) by access-group %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dport} by access-group %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1041 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"%{rule_group}\" %{fld1} %{p3}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "\"%{rule_group}\"%{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{rule_group} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1042 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:04"), | |
}); | |
var dup1043 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode}) by access-group %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1044 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"%{rule_group}\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{rule_group} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1045 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:02"), | |
}); | |
var dup1046 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("202002"), | |
}); | |
var dup1047 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400014"), | |
}); | |
var dup1048 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415002"), | |
}); | |
var dup1049 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201003"), | |
}); | |
var dup1050 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210007"), | |
}); | |
var dup1051 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720010"), | |
}); | |
var dup1052 = match({ | |
dissect: { | |
tokenizer: "Authorization denied (acl=\"%{listnum}\") for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1053 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015"), | |
}); | |
var dup1054 = match({ | |
dissect: { | |
tokenizer: "Authorization denied (acl=#%{listnum}#%{group}) for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1055 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015:01"), | |
}); | |
var dup1056 = match({ | |
dissect: { | |
tokenizer: "Authorization denied (acl=%{listnum}) for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1057 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015:02"), | |
}); | |
var dup1058 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108005:01"), | |
}); | |
var dup1059 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108005"), | |
}); | |
var dup1060 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713220"), | |
}); | |
var dup1061 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603050000"), | |
}); | |
var dup1062 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105041"), | |
}); | |
var dup1063 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302007"), | |
}); | |
var dup1064 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Mismatch: %{event_description}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1065 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713133"), | |
}); | |
var dup1066 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e User ACL \u003c\u003c%{listnum}\u003e from %{fld1} ignored, %{info}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1067 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1602000000"), | |
}); | |
var dup1068 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716047"), | |
}); | |
var dup1069 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103006"), | |
}); | |
var dup1070 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716009"), | |
}); | |
var dup1071 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}', IP = %{saddr}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1072 = match({ | |
dissect: { | |
tokenizer: " %{action}: SPI = %{dst_spi}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1073 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715006"), | |
}); | |
var dup1074 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715006:01"), | |
}); | |
var dup1075 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718033"), | |
}); | |
var dup1076 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403503"), | |
}); | |
var dup1077 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("212001"), | |
}); | |
var dup1078 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("213003"), | |
}); | |
var dup1079 = match({ | |
dissect: { | |
tokenizer: "Teardown PPPOE %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1080 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Tunnel %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " tunnel %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1081 = match({ | |
dissect: { | |
tokenizer: " at %{interface}, tunnel-id = %{fld1}, remote-peer = %{saddr}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1082 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603109"), | |
}); | |
var dup1083 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("612003"), | |
}); | |
var dup1084 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713169"), | |
}); | |
var dup1085 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722031"), | |
}); | |
var dup1086 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109039"), | |
}); | |
var dup1087 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720020"), | |
}); | |
var dup1088 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720044"), | |
}); | |
var dup1089 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611305"), | |
}); | |
var dup1090 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("322003"), | |
}); | |
var dup1091 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400043"), | |
}); | |
var dup1092 = match({ | |
dissect: { | |
tokenizer: "PMTU-D packet %{fld1} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1093 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " bytes %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " byte %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1094 = match({ | |
dissect: { | |
tokenizer: " greater than effective mtu %{fld2} dest_addr=%{daddr}, src_addr=%{saddr}, prot=%{protocol}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1095 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602101"), | |
}); | |
var dup1096 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106006"), | |
}); | |
var dup1097 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106006:01"), | |
}); | |
var dup1098 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("335004"), | |
}); | |
var dup1099 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717010"), | |
}); | |
var dup1100 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("113023"), | |
}); | |
var dup1101 = match({ | |
dissect: { | |
tokenizer: "Routing failed to locate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1102 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "next-hop %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " next hop%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1103 = match({ | |
dissect: { | |
tokenizer: " for %{protocol} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1104 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110003:01"), | |
}); | |
var dup1105 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("110003:02"), | |
}); | |
var dup1106 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("110003"), | |
}); | |
var dup1107 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " initiating %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " initiate %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1108 = match({ | |
dissect: { | |
tokenizer: " rekey (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1109 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702212:01"), | |
}); | |
var dup1110 = match({ | |
dissect: { | |
tokenizer: " rekey (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1111 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702212"), | |
}); | |
var dup1112 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716051"), | |
}); | |
var dup1113 = match({ | |
dissect: { | |
tokenizer: "SMTP made noop: out %{fld1} in %{fld2} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1114 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " data %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " data: %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1115 = match({ | |
dissect: { | |
tokenizer: " %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1116 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603050000"), | |
}); | |
var dup1117 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108001"), | |
}); | |
var dup1118 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302003"), | |
}); | |
var dup1119 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("317005"), | |
}); | |
var dup1120 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("323003"), | |
}); | |
var dup1121 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1601010000"), | |
}); | |
var dup1122 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402125"), | |
}); | |
var dup1123 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611308"), | |
}); | |
var dup1124 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718049"), | |
}); | |
var dup1125 = match({ | |
dissect: { | |
tokenizer: "Console Login from %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1126 = match({ | |
dissect: { | |
tokenizer: " at %{saddr}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1127 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111006"), | |
}); | |
var dup1128 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106025"), | |
}); | |
var dup1129 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302005"), | |
}); | |
var dup1130 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302005:01"), | |
}); | |
var dup1131 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302005:02"), | |
}); | |
var dup1132 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746018"), | |
}); | |
var dup1133 = match({ | |
dissect: { | |
tokenizer: "%{protocol} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1134 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Connection %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " connection %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1135 = match({ | |
dissect: { | |
tokenizer: " denied by %{direction} list %{fld1} src %{saddr}/%{sport} dest %{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1136 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106002"), | |
}); | |
var dup1137 = match({ | |
dissect: { | |
tokenizer: " denied by %{direction} list %{fld1} src %{saddr} %{sport} dest %{daddr} %{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1138 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106002:01"), | |
}); | |
var dup1139 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611320"), | |
}); | |
var dup1140 = match({ | |
dissect: { | |
tokenizer: "ISAKMP %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1141 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " malformed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " malform %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1142 = match({ | |
dissect: { | |
tokenizer: " payload received (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1143 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702206:01"), | |
}); | |
var dup1144 = match({ | |
dissect: { | |
tokenizer: " payload received (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1145 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702206"), | |
}); | |
var dup1146 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713231"), | |
}); | |
var dup1147 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("722050"), | |
}); | |
var dup1148 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505007"), | |
}); | |
var dup1149 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105010"), | |
}); | |
var dup1150 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718039"), | |
}); | |
var dup1151 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400003"), | |
}); | |
var dup1152 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("606003"), | |
}); | |
var dup1153 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("610001"), | |
}); | |
var dup1154 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750001"), | |
}); | |
var dup1155 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750001:01"), | |
}); | |
var dup1156 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106019"), | |
}); | |
var dup1157 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("323002"), | |
}); | |
var dup1158 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324004"), | |
}); | |
var dup1159 = match({ | |
dissect: { | |
tokenizer: " dropped greylisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1160 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338203"), | |
}); | |
var dup1161 = match({ | |
dissect: { | |
tokenizer: "Intercepted DNS reply for %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1162 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " domain %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " name %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1163 = match({ | |
dissect: { | |
tokenizer: " %{web_domain} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1164 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338301"), | |
}); | |
var dup1165 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304005"), | |
}); | |
var dup1166 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("303005"), | |
}); | |
var dup1167 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("504002:01"), | |
}); | |
var dup1168 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("504002"), | |
}); | |
var dup1169 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720004"), | |
}); | |
var dup1170 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105036"), | |
}); | |
var dup1171 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105036:01"), | |
}); | |
var dup1172 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400033"), | |
}); | |
var dup1173 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409004"), | |
}); | |
var dup1174 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1805000000"), | |
}); | |
var dup1175 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("503001"), | |
}); | |
var dup1176 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("308002"), | |
}); | |
var dup1177 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415008"), | |
}); | |
var dup1178 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415008:01"), | |
}); | |
var dup1179 = match({ | |
dissect: { | |
tokenizer: "%{interface}:%{hostip} is counted as a user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1180 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " of %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1181 = match({ | |
dissect: { | |
tokenizer: " %{product}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1182 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1608000000"), | |
}); | |
var dup1183 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("421005"), | |
}); | |
var dup1184 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1185 = match({ | |
dissect: { | |
tokenizer: " Received Invalid SPI notify (SPI %{dst_spi})!", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1186 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713117"), | |
}); | |
var dup1187 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409006"), | |
}); | |
var dup1188 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("703001"), | |
}); | |
var dup1189 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105032"), | |
}); | |
var dup1190 = match({ | |
dissect: { | |
tokenizer: "Authen Session Start: user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1191 = match({ | |
dissect: { | |
tokenizer: ", sid %{sessionid}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1192 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109011"), | |
}); | |
var dup1193 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400012"), | |
}); | |
var dup1194 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400039"), | |
}); | |
var dup1195 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611316"), | |
}); | |
var dup1196 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{event_description}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1197 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715039"), | |
}); | |
var dup1198 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715039:01"), | |
}); | |
var dup1199 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715059"), | |
}); | |
var dup1200 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715059:01"), | |
}); | |
var dup1201 = match({ | |
dissect: { | |
tokenizer: "Extraction of username from VPN client certificate has %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1202 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " finished %{disposition}. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " been %{disposition}. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{disposition}. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1203 = match({ | |
dissect: { | |
tokenizer: " [Request %{fld1}]", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1204 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113028"), | |
}); | |
var dup1205 = match({ | |
dissect: { | |
tokenizer: "AAA unable to complete the request Error : reason = %{result}: user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1206 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113013"), | |
}); | |
var dup1207 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action} [%{fld1}]", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1208 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713137"), | |
}); | |
var dup1209 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713137:01"), | |
}); | |
var dup1210 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735004"), | |
}); | |
var dup1211 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717043"), | |
}); | |
var dup1212 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("603103"), | |
}); | |
var dup1213 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("211001"), | |
}); | |
var dup1214 = match({ | |
dissect: { | |
tokenizer: "Built inbound ICMP connection for faddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1215 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{domain}\\%{fld1}) gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{fld20}) gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}(%{fld11}) gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr} gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1216 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{hostip}/%{fld4} laddr %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{hostip} laddr %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1217 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} (%{fld12}) type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{p5}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}(%{fld10})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1218 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020"), | |
}); | |
var dup1219 = match({ | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{daddr}/%{dport}(%{domain}\\%{username}) gaddr %{hostip}/%{fld4} laddr %{saddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1220 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{fld10})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport} type %{icmptype} code %{icmpcode}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1221 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:04"), | |
}); | |
var dup1222 = match({ | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{daddr}/%{dport} gaddr %{hostip}/%{fld4} laddr %{saddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1223 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{domain}\\%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{fld20}) type %{icmptype} code %{icmpcode}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport} type %{icmptype} code %{icmpcode}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1224 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:03"), | |
}); | |
var dup1225 = match({ | |
dissect: { | |
tokenizer: "Built inbound ICMP connection for faddr %{saddr}/%{sport} gaddr %{hostip}/%{fld4} laddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1226 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{fld10})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1227 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:05"), | |
}); | |
var dup1228 = match({ | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1229 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}(%{fld10}) gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr} gaddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1230 = match({ | |
dissect: { | |
tokenizer: "%{hostip} laddr %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1231 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}(%{fld11})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1232 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:01"), | |
}); | |
var dup1233 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302020:02"), | |
}); | |
var dup1234 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("312001"), | |
}); | |
var dup1235 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505002"), | |
}); | |
var dup1236 = match({ | |
dissect: { | |
tokenizer: " sent (local %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1237 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702202:01"), | |
}); | |
var dup1238 = match({ | |
dissect: { | |
tokenizer: " sent (local %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1239 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702202"), | |
}); | |
var dup1240 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("104004"), | |
}); | |
var dup1241 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("317003"), | |
}); | |
var dup1242 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402130"), | |
}); | |
var dup1243 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709002"), | |
}); | |
var dup1244 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718058"), | |
}); | |
var dup1245 = match({ | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr}/%{sport}(%{sdomain}\\%{fld5}) gaddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1246 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{hostip}/%{fld4} laddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{hostip} laddr %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1247 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username})%{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{username} %{p3}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{p3}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1248 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021"), | |
}); | |
var dup1249 = match({ | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr}/%{sport}(%{fld20}) gaddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1250 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username}) type %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} type %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1251 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021:02"), | |
}); | |
var dup1252 = match({ | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr}/%{sport} gaddr %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1253 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021:01"), | |
}); | |
var dup1254 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302015:05"), | |
}); | |
var dup1255 = match({ | |
dissect: { | |
tokenizer: " to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1256 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: ") '%{username}' %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: ") (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: ")%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1257 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015"), | |
}); | |
var dup1258 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:01"), | |
}); | |
var dup1259 = match({ | |
dissect: { | |
tokenizer: "Built %{fld1} %{protocol} connection %{connectionid} for %{dinterface}:%{daddr}/%{dport} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1260 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "(%{dtransaddr}/%{dtransport})(%{domain}\\%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dtransaddr}/%{dtransport})(%{fld3})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{dtransaddr}/%{dtransport})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1261 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:03"), | |
}); | |
var dup1262 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302015:04"), | |
}); | |
var dup1263 = match({ | |
dissect: { | |
tokenizer: "Built PPTP %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1264 = match({ | |
dissect: { | |
tokenizer: " at %{interface}, tunnel-id = %{fld1}, remote-peer = %{saddr}, virtual-interface = %{vsys}, client-dynamic-ip = %{daddr}, username = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1265 = match({ | |
dissect: { | |
tokenizer: ", MPPE-key-strength = %{fld2}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1266 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603108"), | |
}); | |
var dup1267 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720003"), | |
}); | |
var dup1268 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} by access-group %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1269 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106027"), | |
}); | |
var dup1270 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305006:02"), | |
}); | |
var dup1271 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305006"), | |
}); | |
var dup1272 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305006:01"), | |
}); | |
var dup1273 = match({ | |
dissect: { | |
tokenizer: " %{action} whitelisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{web_domain}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1274 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338101"), | |
}); | |
var dup1275 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1103000000"), | |
}); | |
var dup1276 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400028"), | |
}); | |
var dup1277 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400036"), | |
}); | |
var dup1278 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("604102"), | |
}); | |
var dup1279 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721004"), | |
}); | |
var dup1280 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("212006"), | |
}); | |
var dup1281 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313008:01"), | |
}); | |
var dup1282 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313008"), | |
}); | |
var dup1283 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, User (%{fld1}) authenticated", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1284 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713052"), | |
}); | |
var dup1285 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("202004"), | |
}); | |
var dup1286 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105031"), | |
}); | |
var dup1287 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199908"), | |
}); | |
var dup1288 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("617003"), | |
}); | |
var dup1289 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("742004"), | |
}); | |
var dup1290 = match({ | |
dissect: { | |
tokenizer: "AAA user authentication Successful : local database : user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1291 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113012"), | |
}); | |
var dup1292 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400024"), | |
}); | |
var dup1293 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402124"), | |
}); | |
var dup1294 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611104"), | |
}); | |
var dup1295 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("711002"), | |
}); | |
var dup1296 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713042"), | |
}); | |
var dup1297 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717001"), | |
}); | |
var dup1298 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720026"), | |
}); | |
var dup1299 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("209005"), | |
}); | |
var dup1300 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720027"), | |
}); | |
var dup1301 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Interface %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " interface %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1302 = match({ | |
dissect: { | |
tokenizer: " %{interface} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1303 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " , %{result} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1304 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411003"), | |
}); | |
var dup1305 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611304"), | |
}); | |
var dup1306 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713211"), | |
}); | |
var dup1307 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400023"), | |
}); | |
var dup1308 = match({ | |
dissect: { | |
tokenizer: "Drop %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1309 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " GTPv %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " GTP %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1310 = match({ | |
dissect: { | |
tokenizer: " %{misc} message %{fld1} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} Reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1311 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324000"), | |
}); | |
var dup1312 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411004"), | |
}); | |
var dup1313 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715047:01"), | |
}); | |
var dup1314 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715047"), | |
}); | |
var dup1315 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302010"), | |
}); | |
var dup1316 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1317 = match({ | |
dissect: { | |
tokenizer: " Old P1 SA is being deleted but new SA is DEAD, %{result}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1318 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715052"), | |
}); | |
var dup1319 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description} user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1320 = match({ | |
dissect: { | |
tokenizer: ", IP %{saddr} has been deleted.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1321 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721018"), | |
}); | |
var dup1322 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1204010000"), | |
}); | |
var dup1323 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746015"), | |
}); | |
var dup1324 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106009"), | |
}); | |
var dup1325 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1613030000"), | |
}); | |
var dup1326 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717002"), | |
}); | |
var dup1327 = match({ | |
dissect: { | |
tokenizer: "SSH session from %{saddr} on interface %{interface} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1328 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"\"%{username}\"\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \"%{username}\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1329 = match({ | |
dissect: { | |
tokenizer: " disconnected by SSH server, reason: %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1330 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \"\"%{result}\"\" %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \"%{result}\" %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1331 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315011"), | |
}); | |
var dup1332 = match({ | |
dissect: { | |
tokenizer: " terminated normally%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1333 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315011:01"), | |
}); | |
var dup1334 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444104"), | |
}); | |
var dup1335 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1336 = match({ | |
dissect: { | |
tokenizer: " Automatic NAT Detection Status:%{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1337 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713172"), | |
}); | |
var dup1338 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716059"), | |
}); | |
var dup1339 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e Stale SVC connection closed.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1340 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722028"), | |
}); | |
var dup1341 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("434002"), | |
}); | |
var dup1342 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("309004"), | |
}); | |
var dup1343 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("414001"), | |
}); | |
var dup1344 = match({ | |
dissect: { | |
tokenizer: "Authentication: %{action}, group = \u003c\u003c%{group}\u003e user = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1345 = match({ | |
dissect: { | |
tokenizer: " IP = \u003c\u003c %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1346 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} (%{info}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1347 = match({ | |
dissect: { | |
tokenizer: " \u003e, Session Type: %{network_service}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1348 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716039"), | |
}); | |
var dup1349 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c %{group}\u003e User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1350 = match({ | |
dissect: { | |
tokenizer: " \u003e Authentication:%{result} Session Type: %{network_service}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1351 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716039:01"), | |
}); | |
var dup1352 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e New %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1353 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{protocol} SVC %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " SVC %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1354 = match({ | |
dissect: { | |
tokenizer: " connection replacing old connection.%{}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1355 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722032"), | |
}); | |
var dup1356 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105046"), | |
}); | |
var dup1357 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("702302"), | |
}); | |
var dup1358 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717005"), | |
}); | |
var dup1359 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409010"), | |
}); | |
var dup1360 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305010"), | |
}); | |
var dup1361 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305010:01"), | |
}); | |
var dup1362 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403108"), | |
}); | |
var dup1363 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409013"), | |
}); | |
var dup1364 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("603101"), | |
}); | |
var dup1365 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715080"), | |
}); | |
var dup1366 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718062"), | |
}); | |
var dup1367 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302025"), | |
}); | |
var dup1368 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("603102"), | |
}); | |
var dup1369 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713132"), | |
}); | |
var dup1370 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1371 = match({ | |
dissect: { | |
tokenizer: " %{action}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1372 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713194"), | |
}); | |
var dup1373 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715034"), | |
}); | |
var dup1374 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302302"), | |
}); | |
var dup1375 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714006"), | |
}); | |
var dup1376 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714006:01"), | |
}); | |
var dup1377 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("325001"), | |
}); | |
var dup1378 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("605001"), | |
}); | |
var dup1379 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725014"), | |
}); | |
var dup1380 = match({ | |
dissect: { | |
tokenizer: "Downloaded authorization access-list %{listnum} not found for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1381 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109016"), | |
}); | |
var dup1382 = match({ | |
dissect: { | |
tokenizer: "Can't find authorization ACL '%{listnum}' on '%{interface}' for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1383 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109016:01"), | |
}); | |
var dup1384 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737016"), | |
}); | |
var dup1385 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737016:01"), | |
}); | |
var dup1386 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("421001"), | |
}); | |
var dup1387 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106001"), | |
}); | |
var dup1388 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106001:01"), | |
}); | |
var dup1389 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106008"), | |
}); | |
var dup1390 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106008:01"), | |
}); | |
var dup1391 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106020"), | |
}); | |
var dup1392 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302018"), | |
}); | |
var dup1393 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} File %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1394 = match({ | |
dissect: { | |
tokenizer: " as a Soft Reset was necessary. %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1395 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402126"), | |
}); | |
var dup1396 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611309"), | |
}); | |
var dup1397 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1302000000"), | |
}); | |
var dup1398 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717022"), | |
}); | |
var dup1399 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("120001"), | |
}); | |
var dup1400 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Unknown client %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1401 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{application} for %{product} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{application} %{product} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1402 = match({ | |
dissect: { | |
tokenizer: " %{version}\u003e connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1403 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722053"), | |
}); | |
var dup1404 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720048"), | |
}); | |
var dup1405 = match({ | |
dissect: { | |
tokenizer: "Teardown %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1406 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " local-host %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " localhost %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1407 = match({ | |
dissect: { | |
tokenizer: "%{interface}:%{hostip} duration %{duration}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1408 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("609002:01"), | |
}); | |
var dup1409 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752012"), | |
}); | |
var dup1410 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752012:1"), | |
}); | |
var dup1411 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106003"), | |
}); | |
var dup1412 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("404101"), | |
}); | |
var dup1413 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("607001"), | |
}); | |
var dup1414 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715007"), | |
}); | |
var dup1415 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1613050100"), | |
}); | |
var dup1416 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715007:01"), | |
}); | |
var dup1417 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725012"), | |
}); | |
var dup1418 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725012:01"), | |
}); | |
var dup1419 = match({ | |
dissect: { | |
tokenizer: " blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{fld3}%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1420 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " /%{mask}, threat-level: %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " /%{mask} threat-level: %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1421 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338004"), | |
}); | |
var dup1422 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Shunned %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Shun %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1423 = match({ | |
dissect: { | |
tokenizer: " packet: %{saddr} ==\u003e %{daddr} on interface %{interface}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1424 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401004"), | |
}); | |
var dup1425 = match({ | |
dissect: { | |
tokenizer: " decompression history reset%{}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup1426 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722027"), | |
}); | |
var dup1427 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305002"), | |
}); | |
var dup1428 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106021"), | |
}); | |
var dup1429 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400040"), | |
}); | |
var dup1430 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611315"), | |
}); | |
var dup1431 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Received authentication failure message", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1432 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301020000"), | |
}); | |
var dup1433 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713251"), | |
}); | |
var dup1434 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105039"), | |
}); | |
var dup1435 = match({ | |
dissect: { | |
tokenizer: "AAA challenge received for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1436 = match({ | |
dissect: { | |
tokenizer: " from server %{hostip}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1437 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113010"), | |
}); | |
var dup1438 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("337005"), | |
}); | |
var dup1439 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105037"), | |
}); | |
var dup1440 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("209002"), | |
}); | |
var dup1441 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403104"), | |
}); | |
var dup1442 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = '%{username}' , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username} , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1443 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713136"), | |
}); | |
var dup1444 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713255"), | |
}); | |
var dup1445 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("202003"), | |
}); | |
var dup1446 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415013"), | |
}); | |
var dup1447 = match({ | |
dissect: { | |
tokenizer: " connection terminated %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup1448 = match({ | |
dissect: { | |
tokenizer: " compression%{}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var dup1449 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722023"), | |
}); | |
var dup1450 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("733100"), | |
}); | |
var dup1451 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1452 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " ICMP %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " icmp %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1453 = match({ | |
dissect: { | |
tokenizer: " src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1454 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106014"), | |
}); | |
var dup1455 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, IKE Remote Peer configured for crypto map: %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1456 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713066"), | |
}); | |
var dup1457 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713066:01"), | |
}); | |
var dup1458 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400022"), | |
}); | |
var dup1459 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("419002"), | |
}); | |
var dup1460 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("419003"), | |
}); | |
var dup1461 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611321"), | |
}); | |
var dup1462 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715056"), | |
}); | |
var dup1463 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720032"), | |
}); | |
var dup1464 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725008"), | |
}); | |
var dup1465 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725008:01"), | |
}); | |
var dup1466 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106010"), | |
}); | |
var dup1467 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106010:01"), | |
}); | |
var dup1468 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106010:02"), | |
}); | |
var dup1469 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106010:03"), | |
}); | |
var dup1470 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("615001"), | |
}); | |
var dup1471 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 exchange %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1472 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " completed %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " complete %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1473 = match({ | |
dissect: { | |
tokenizer: " %{saddr} (initiator), remote %{daddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1474 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702210:01"), | |
}); | |
var dup1475 = match({ | |
dissect: { | |
tokenizer: " %{daddr} (responder), remote %{saddr})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1476 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702210"), | |
}); | |
var dup1477 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717029"), | |
}); | |
var dup1478 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Client Type: %{application} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1479 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "for %{product} %{version}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "v%{version}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1480 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722055"), | |
}); | |
var dup1481 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Session=%{sessionid}, Received message%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Received message%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1482 = match({ | |
dissect: { | |
tokenizer: " '%{info}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1483 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737001"), | |
}); | |
var dup1484 = match({ | |
dissect: { | |
tokenizer: "Permitted SSH session from %{saddr} on interface %{interface} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1485 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315002"), | |
}); | |
var dup1486 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("319001:01"), | |
}); | |
var dup1487 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("319001"), | |
}); | |
var dup1488 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720024"), | |
}); | |
var dup1489 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("724003"), | |
}); | |
var dup1490 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106103:01"), | |
}); | |
var dup1491 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106103"), | |
}); | |
var dup1492 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1602000000"), | |
}); | |
var dup1493 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321005"), | |
}); | |
var dup1494 = match({ | |
dissect: { | |
tokenizer: " to %{daddr} that failed authentication.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1495 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402120"), | |
}); | |
var dup1496 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611312"), | |
}); | |
var dup1497 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("107001:01"), | |
}); | |
var dup1498 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("107001"), | |
}); | |
var dup1499 = match({ | |
dissect: { | |
tokenizer: "Address %{hostip} discovered for domain %{web_domain} from %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1500 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{category}. %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{category}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1501 = match({ | |
dissect: { | |
tokenizer: " Adding rule%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1502 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338302"), | |
}); | |
var dup1503 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611314"), | |
}); | |
var dup1504 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("317001"), | |
}); | |
var dup1505 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321003"), | |
}); | |
var dup1506 = match({ | |
dissect: { | |
tokenizer: " dropped blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1507 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338006"), | |
}); | |
var dup1508 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("413001"), | |
}); | |
var dup1509 = match({ | |
dissect: { | |
tokenizer: "User authentication failed: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1510 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611102"), | |
}); | |
var dup1511 = match({ | |
dissect: { | |
tokenizer: "User authentication failed: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1512 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "IP address: %{saddr}, Uname: %{username}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "IP address: %{saddr}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1513 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611102:01"), | |
}); | |
var dup1514 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611323"), | |
}); | |
var dup1515 = match({ | |
dissect: { | |
tokenizer: "Starting SSL handshake with %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1516 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " client %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " server %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1517 = match({ | |
dissect: { | |
tokenizer: " %{sinterface}:%{saddr}/%{sport}to%{daddr}/%{dport}for %{version} session", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1518 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725001:01"), | |
}); | |
var dup1519 = match({ | |
dissect: { | |
tokenizer: " %{interface}:%{hostip}/%{network_port} for %{version} session.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1520 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725001"), | |
}); | |
var dup1521 = match({ | |
dissect: { | |
tokenizer: "Call-Home is processing %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1522 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " configuration %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " inventory %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " snapshot %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1523 = match({ | |
dissect: { | |
tokenizer: " event %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1524 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120003"), | |
}); | |
var dup1525 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("414002"), | |
}); | |
var dup1526 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415007"), | |
}); | |
var dup1527 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1528 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714011"), | |
}); | |
var dup1529 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " ID_IPV4_ADDR_SUBNET %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " ID_IPV4_ADDR %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1530 = match({ | |
dissect: { | |
tokenizer: " ID %{fld1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1531 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714011:01"), | |
}); | |
var dup1532 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("101002"), | |
}); | |
var dup1533 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409008"), | |
}); | |
var dup1534 = match({ | |
dissect: { | |
tokenizer: "PPTP Tunnel %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1535 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " deleted, tunnel_id %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " deleted tunnel_id %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1536 = match({ | |
dissect: { | |
tokenizer: " =%{fld1}, remote_peer_ip=%{saddr}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1537 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603105"), | |
}); | |
var dup1538 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713061"), | |
}); | |
var dup1539 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Assigned private IP address %{stransaddr} to remote user", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1540 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605020000"), | |
}); | |
var dup1541 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713228"), | |
}); | |
var dup1542 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103004"), | |
}); | |
var dup1543 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715021"), | |
}); | |
var dup1544 = match({ | |
dissect: { | |
tokenizer: "TunnelGroup \u003c\u003c %{fld1} \u003e GroupPolicy \u003c\u003c %{group} \u003e User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1545 = match({ | |
dissect: { | |
tokenizer: " \u003e No IPv6 address available for SVC connection%{}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1546 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722041"), | |
}); | |
var dup1547 = match({ | |
dissect: { | |
tokenizer: " to %{daddr}. %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1548 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402116"), | |
}); | |
var dup1549 = match({ | |
dissect: { | |
tokenizer: ", Error processing payload: Payload ID: %{fld1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1550 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713048"), | |
}); | |
var dup1551 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103001"), | |
}); | |
var dup1552 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318006"), | |
}); | |
var dup1553 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("407001"), | |
}); | |
var dup1554 = match({ | |
dissect: { | |
tokenizer: "ospf %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1555 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " E1 update %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " E2 update %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IA update %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " update %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1556 = match({ | |
dissect: { | |
tokenizer: " %{stransaddr} %{fld1} [%{fld2}] via %{daddr}:%{host} overriding conflict with %{dtransaddr} %{fld3} [%{fld4}] %{interface}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1557 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805020000"), | |
}); | |
var dup1558 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("408002"), | |
}); | |
var dup1559 = match({ | |
dissect: { | |
tokenizer: "Device proposes the following %{dclass_counter1} cipher(s) to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1560 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "server%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "client%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1561 = match({ | |
dissect: { | |
tokenizer: " %{interface}:%{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1562 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725009:01"), | |
}); | |
var dup1563 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725009"), | |
}); | |
var dup1564 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("120007"), | |
}); | |
var dup1565 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718023"), | |
}); | |
var dup1566 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) Receiving %{obj_type} message %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1567 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (%{info}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{info} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1568 = match({ | |
dissect: { | |
tokenizer: " from active unit%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1569 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720042"), | |
}); | |
var dup1570 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415011"), | |
}); | |
var dup1571 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611307"), | |
}); | |
var dup1572 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713206"), | |
}); | |
var dup1573 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324006"), | |
}); | |
var dup1574 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210001"), | |
}); | |
var dup1575 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304002"), | |
}); | |
var dup1576 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304002:01"), | |
}); | |
var dup1577 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1}, application up \"%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Module ips, application up \"%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1578 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505015"), | |
}); | |
var dup1579 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702208:01"), | |
}); | |
var dup1580 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702208"), | |
}); | |
var dup1581 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735006"), | |
}); | |
var dup1582 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109013"), | |
}); | |
var dup1583 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1584 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715046:01"), | |
}); | |
var dup1585 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715046"), | |
}); | |
var dup1586 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400025"), | |
}); | |
var dup1587 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444106"), | |
}); | |
var dup1588 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1589 = match({ | |
dissect: { | |
tokenizer: " Received non-routine %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1590 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Notify %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " notify %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1591 = match({ | |
dissect: { | |
tokenizer: " message: %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1592 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{result} (%{info}) %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1593 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713068"), | |
}); | |
var dup1594 = match({ | |
dissect: { | |
tokenizer: " \u003e Session terminated: %{info}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1595 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722049"), | |
}); | |
var dup1596 = match({ | |
dissect: { | |
tokenizer: " \u003e IPv4 %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1597 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Address %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " address %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1598 = match({ | |
dissect: { | |
tokenizer: " \u003c\u003c %{stransaddr} \u003e IPv6 %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup1599 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " address %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Address %{p7}", | |
field: "nwparser.p6", | |
}, | |
}), | |
]); | |
var dup1600 = match({ | |
dissect: { | |
tokenizer: " \u003c\u003c%{info}\u003e assigned to session", | |
field: "nwparser.p7", | |
}, | |
}); | |
var dup1601 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722051:01"), | |
}); | |
var dup1602 = match({ | |
dissect: { | |
tokenizer: " \u003e Address \u003c\u003c %{stransaddr} \u003e assigned to session", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1603 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722051"), | |
}); | |
var dup1604 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716601"), | |
}); | |
var dup1605 = match({ | |
dissect: { | |
tokenizer: "Downloaded ACL %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1606 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{listnum}' %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{listnum} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1607 = match({ | |
dissect: { | |
tokenizer: " is empty%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1608 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109018"), | |
}); | |
var dup1609 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface}:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1610 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{sdomain}\\%{fld7}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1611 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{duration} bytes %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1612 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{bytes} (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{bytes} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1613 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:05"), | |
}); | |
var dup1614 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport}(%{fld1}) to %{dinterface}:%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{duration} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1615 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "bytes %{bytes} (%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "bytes %{bytes}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1616 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:07"), | |
}); | |
var dup1617 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{duration} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1618 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:04"), | |
}); | |
var dup1619 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{sdomain}\\%{fld5}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1620 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1621 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{ddomain}\\%{c_username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{fld20})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1622 = match({ | |
dissect: { | |
tokenizer: " duration %{duration} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1623 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} '%{username}' %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} (%{username}) %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} %{p6}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1624 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:06"), | |
}); | |
var dup1625 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} duration %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1626 = match({ | |
dissect: { | |
tokenizer: "%{duration} bytes %{bytes} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1627 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1628 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016"), | |
}); | |
var dup1629 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{sdomain}\\%{fld5}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{fld20}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1630 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{c_username}) duration %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} duration %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1631 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:01"), | |
}); | |
var dup1632 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302016:02"), | |
}); | |
var dup1633 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302016:03"), | |
}); | |
var dup1634 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Pre-allocated %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Pre-allocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Preallocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1635 = match({ | |
dissect: { | |
tokenizer: " RTSP %{protocol} backconnection %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1636 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " for faddr %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " for foreign_address %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " for %{sinterface}: %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1637 = match({ | |
dissect: { | |
tokenizer: "%{saddr}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup1638 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " /%{sport} to %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " to %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup1639 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " laddr %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " local_address %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{dinterface}:%{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
]); | |
var dup1640 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{p7}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var dup1641 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{dport}. %{p8}", | |
field: "nwparser.p7", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{dport} %{p8}", | |
field: "nwparser.p7", | |
}, | |
}), | |
]); | |
var dup1642 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("314001"), | |
}); | |
var dup1643 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338309"), | |
}); | |
var dup1644 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716058"), | |
}); | |
var dup1645 = match({ | |
dissect: { | |
tokenizer: "Authen Session End: user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1646 = match({ | |
dissect: { | |
tokenizer: ", sid %{sessionid}, elapsed %{duration} seconds", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1647 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109012"), | |
}); | |
var dup1648 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400045"), | |
}); | |
var dup1649 = match({ | |
dissect: { | |
tokenizer: "Attempting AAA Fallback method %{process} for %{info} for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1650 = match({ | |
dissect: { | |
tokenizer: ": %{space} Auth-server group %{product} unreachable", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1651 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409023"), | |
}); | |
var dup1652 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714002"), | |
}); | |
var dup1653 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714002:01"), | |
}); | |
var dup1654 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717007"), | |
}); | |
var dup1655 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304004"), | |
}); | |
var dup1656 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("408001"), | |
}); | |
var dup1657 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713216"), | |
}); | |
var dup1658 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713216:01"), | |
}); | |
var dup1659 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210005"), | |
}); | |
var dup1660 = match({ | |
dissect: { | |
tokenizer: "User authentication succeeded: Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1661 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611101"), | |
}); | |
var dup1662 = match({ | |
dissect: { | |
tokenizer: "User authentication succeeded: IP address: %{saddr}, Uname: %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1663 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611101:01"), | |
}); | |
var dup1664 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713134"), | |
}); | |
var dup1665 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720035"), | |
}); | |
var dup1666 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722003"), | |
}); | |
var dup1667 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737010"), | |
}); | |
var dup1668 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("737010:01"), | |
}); | |
var dup1669 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305008"), | |
}); | |
var dup1670 = match({ | |
dissect: { | |
tokenizer: " %{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1671 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715028"), | |
}); | |
var dup1672 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} Proxy Id:%{fld1} Remote host: %{hostname} Protocol %{protocol} Port %{port} Local subnet: %{fld2} mask %{mask} Protocol %{fld3} Port %{fld4} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description} flags %{fld5}, refcnt %{fld6}, tuncnt %{fld7}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description} %{fld9} flags %{fld5}, refcnt %{fld6}, tuncnt %{fld7}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} (%{fld1}) %{fld2} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1673 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906:01"), | |
}); | |
var dup1674 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} flags %{fld1}, refcnt %{fld2}, tuncnt %{fld3}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} Proxy Id:%{fld1} Remote host: %{hostname} Protocol %{protocol} Port %{port} Local subnet: %{fld2} mask %{mask} Protocol %{fld3} Port %{fld4} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} for remote peer %{fld1}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1675 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906:03"), | |
}); | |
var dup1676 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr},%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1677 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Responder: %{event_description} TCP port: %{network_port} peer TCP port: %{fld1} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1678 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906"), | |
}); | |
var dup1679 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713906:02"), | |
}); | |
var dup1680 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("209003"), | |
}); | |
var dup1681 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("309001"), | |
}); | |
var dup1682 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713143"), | |
}); | |
var dup1683 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("111111"), | |
}); | |
var dup1684 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400041"), | |
}); | |
var dup1685 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400049"), | |
}); | |
var dup1686 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("703002"), | |
}); | |
var dup1687 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Security negotiation complete for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1688 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " LAN-to-LAN Group %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " User %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1689 = match({ | |
dissect: { | |
tokenizer: " (%{fld1}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup1690 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Initiator %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Responder %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup1691 = match({ | |
dissect: { | |
tokenizer: ", Inbound SPI = %{src_spi}, Outbound SPI = %{dst_spi}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var dup1692 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713049"), | |
}); | |
var dup1693 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}' , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username} , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1694 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713120"), | |
}); | |
var dup1695 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1696 = match({ | |
dissect: { | |
tokenizer: " %{event_description} (version: %{version}, capabilities: %{fld1})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1697 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715038"), | |
}); | |
var dup1698 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318002"), | |
}); | |
var dup1699 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("219002"), | |
}); | |
var dup1700 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400004"), | |
}); | |
var dup1701 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("617001"), | |
}); | |
var dup1702 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713014"), | |
}); | |
var dup1703 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715040"), | |
}); | |
var dup1704 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718034"), | |
}); | |
var dup1705 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720012"), | |
}); | |
var dup1706 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105001"), | |
}); | |
var dup1707 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752004"), | |
}); | |
var dup1708 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717039"), | |
}); | |
var dup1709 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720036"), | |
}); | |
var dup1710 = match({ | |
dissect: { | |
tokenizer: "Deny IP from %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1711 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " from %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1712 = match({ | |
dissect: { | |
tokenizer: " %{daddr}, IP options %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1713 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106012"), | |
}); | |
var dup1714 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106007"), | |
}); | |
var dup1715 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210021"), | |
}); | |
var dup1716 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713900:02"), | |
}); | |
var dup1717 = match({ | |
dissect: { | |
tokenizer: ", %{info}(): %{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1718 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713900"), | |
}); | |
var dup1719 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713900:01"), | |
}); | |
var dup1720 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, IKEGetUserAttributes: %{change_attribute} = %{change_new}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1721 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715019"), | |
}); | |
var dup1722 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715019:01"), | |
}); | |
var dup1723 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("101001"), | |
}); | |
var dup1724 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713229"), | |
}); | |
var dup1725 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718028"), | |
}); | |
var dup1726 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210020"), | |
}); | |
var dup1727 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Preallocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Pre-allocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1728 = match({ | |
dissect: { | |
tokenizer: " %{network_service} %{protocol} backconnection for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1729 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " faddr %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " foreign_address %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1730 = match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} to %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup1731 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " laddr %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " local_address %{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup1732 = match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var dup1733 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302004"), | |
}); | |
var dup1734 = match({ | |
dissect: { | |
tokenizer: " %{saddr} to %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup1735 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport} %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{daddr} %{p6}", | |
field: "nwparser.p5", | |
}, | |
}), | |
]); | |
var dup1736 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302004:01"), | |
}); | |
var dup1737 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313009"), | |
}); | |
var dup1738 = match({ | |
dissect: { | |
tokenizer: " dropped greylisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1739 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338204"), | |
}); | |
var dup1740 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("407002"), | |
}); | |
var dup1741 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("407002:01"), | |
}); | |
var dup1742 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} Process = %{process}, PC = %{fld1}, Call stack = %{fld2}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1743 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603110000"), | |
}); | |
var dup1744 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("711004"), | |
}); | |
var dup1745 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713105"), | |
}); | |
var dup1746 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1805010100"), | |
}); | |
var dup1747 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("405003"), | |
}); | |
var dup1748 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109026"), | |
}); | |
var dup1749 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338306"), | |
}); | |
var dup1750 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("420005"), | |
}); | |
var dup1751 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1603060000"), | |
}); | |
var dup1752 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713016"), | |
}); | |
var dup1753 = match({ | |
dissect: { | |
tokenizer: "SSL client %{interface}:%{hostip}/%{network_port} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1754 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "to %{daddr}/%{dport} %{action}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{action}.%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1755 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725003"), | |
}); | |
var dup1756 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725013"), | |
}); | |
var dup1757 = match({ | |
dissect: { | |
tokenizer: " dropped blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{fld3}/%{mask} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1758 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338007"), | |
}); | |
var dup1759 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709007"), | |
}); | |
var dup1760 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("102001"), | |
}); | |
var dup1761 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400038"), | |
}); | |
var dup1762 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("714007"), | |
}); | |
var dup1763 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718016"), | |
}); | |
var dup1764 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201008"), | |
}); | |
var dup1765 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("311001"), | |
}); | |
var dup1766 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302017"), | |
}); | |
var dup1767 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302017:01"), | |
}); | |
var dup1768 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713129"), | |
}); | |
var dup1769 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716041"), | |
}); | |
var dup1770 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302006"), | |
}); | |
var dup1771 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302006:01"), | |
}); | |
var dup1772 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720049"), | |
}); | |
var dup1773 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("750003"), | |
}); | |
var dup1774 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("751014"), | |
}); | |
var dup1775 = match({ | |
dissect: { | |
tokenizer: "AAA retrieved default group policy %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1776 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (%{policyname}) for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{policyname} for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1777 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " user = %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " user %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1778 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{username} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1779 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113009"), | |
}); | |
var dup1780 = match({ | |
dissect: { | |
tokenizer: " for %{daddr}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1781 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113009:01"), | |
}); | |
var dup1782 = match({ | |
dissect: { | |
tokenizer: "%{direction} %{protocol} request (%{bytes} bytes) %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1783 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " from IP address %{saddr} Port %{sport} Interface \"%{interface}\" %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " on interface %{interface} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1784 = match({ | |
dissect: { | |
tokenizer: " exceeds data buffer %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1785 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " SIZE, %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " size, %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1786 = match({ | |
dissect: { | |
tokenizer: " %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1787 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212005"), | |
}); | |
var dup1788 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715057"), | |
}); | |
var dup1789 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199002"), | |
}); | |
var dup1790 = match({ | |
dissect: { | |
tokenizer: "Authorization denied for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1791 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501040000"), | |
}); | |
var dup1792 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109008"), | |
}); | |
var dup1793 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " created, %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " created %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1794 = match({ | |
dissect: { | |
tokenizer: " tunnel_id is %{fld1}, remote_peer_ip is %{saddr}, ppp_virtual_interface_id is %{interface}, client_dynamic_ip is %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1795 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{daddr}, %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{daddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1796 = match({ | |
dissect: { | |
tokenizer: " username is %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1797 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603106"), | |
}); | |
var dup1798 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Password for user (%{fld1}) too long, %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1799 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402040101"), | |
}); | |
var dup1800 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713072"), | |
}); | |
var dup1801 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Remote peer has failed user authentication - %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1802 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713167"), | |
}); | |
var dup1803 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713167:01"), | |
}); | |
var dup1804 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, Client Type: %{product} Client Application Version: %{version}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1805 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713184"), | |
}); | |
var dup1806 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713184:01"), | |
}); | |
var dup1807 = match({ | |
dissect: { | |
tokenizer: "%{process}: User %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1808 = match({ | |
dissect: { | |
tokenizer: ", %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1809 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Addr %{hostip}, %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Addr %{hostip}: %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1810 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734002"), | |
}); | |
var dup1811 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106022"), | |
}); | |
var dup1812 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("317004"), | |
}); | |
var dup1813 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338304"), | |
}); | |
var dup1814 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403109"), | |
}); | |
var dup1815 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713187"), | |
}); | |
var dup1816 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105009"), | |
}); | |
var dup1817 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400046"), | |
}); | |
var dup1818 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403106"), | |
}); | |
var dup1819 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("111001"), | |
}); | |
var dup1820 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713223"), | |
}); | |
var dup1821 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("701001"), | |
}); | |
var dup1822 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402101"), | |
}); | |
var dup1823 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602104"), | |
}); | |
var dup1824 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1825 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902"), | |
}); | |
var dup1826 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}' , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username} , IP = %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1827 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902:02"), | |
}); | |
var dup1828 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902:01"), | |
}); | |
var dup1829 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("215001"), | |
}); | |
var dup1830 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735003"), | |
}); | |
var dup1831 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("751007"), | |
}); | |
var dup1832 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("306001"), | |
}); | |
var dup1833 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr},%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr}, %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1834 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715001"), | |
}); | |
var dup1835 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718068"), | |
}); | |
var dup1836 = match({ | |
dissect: { | |
tokenizer: "Scheduled reload for %{fld1} cancelled by %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1837 = match({ | |
dissect: { | |
tokenizer: " at %{fld2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1838 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701020000"), | |
}); | |
var dup1839 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199008"), | |
}); | |
var dup1840 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713214"), | |
}); | |
var dup1841 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1605010000"), | |
}); | |
var dup1842 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199015"), | |
}); | |
var dup1843 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602103"), | |
}); | |
var dup1844 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1401030000"), | |
}); | |
var dup1845 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307003"), | |
}); | |
var dup1846 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("307003:01"), | |
}); | |
var dup1847 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400027"), | |
}); | |
var dup1848 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721012"), | |
}); | |
var dup1849 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("202005"), | |
}); | |
var dup1850 = match({ | |
dissect: { | |
tokenizer: "Auto Update failed:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1851 = match({ | |
dissect: { | |
tokenizer: ", version:%{version}, reason:%{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1852 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("612002"), | |
}); | |
var dup1853 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713119"), | |
}); | |
var dup1854 = match({ | |
dissect: { | |
tokenizer: ", %{event_description}, %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1855 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603020000"), | |
}); | |
var dup1856 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713232"), | |
}); | |
var dup1857 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, MODE_CFG: %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1858 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715053"), | |
}); | |
var dup1859 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715053:01"), | |
}); | |
var dup1860 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746014"), | |
}); | |
var dup1861 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717045"), | |
}); | |
var dup1862 = match({ | |
dissect: { | |
tokenizer: "Authentication succeeded for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1863 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109005"), | |
}); | |
var dup1864 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713092"), | |
}); | |
var dup1865 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717055"), | |
}); | |
var dup1866 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710004"), | |
}); | |
var dup1867 = match({ | |
dissect: { | |
tokenizer: "%{result}; Connection for %{protocol} src %{sinterface}:%{saddr}/%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1868 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{sport}(%{domain}\\%{username}) dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{sport} dst %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1869 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305013"), | |
}); | |
var dup1870 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305013:01"), | |
}); | |
var dup1871 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305013:02"), | |
}); | |
var dup1872 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("319004"), | |
}); | |
var dup1873 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("321004"), | |
}); | |
var dup1874 = match({ | |
dissect: { | |
tokenizer: " %{service} Connection for %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1875 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405102"), | |
}); | |
var dup1876 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("450001"), | |
}); | |
var dup1877 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("702303"), | |
}); | |
var dup1878 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199017"), | |
}); | |
var dup1879 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105006"), | |
}); | |
var dup1880 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("322002"), | |
}); | |
var dup1881 = match({ | |
dissect: { | |
tokenizer: ", Addr %{hostip}: Session Attribute endpoint.device.hostname=\"%{hostname}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1882 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:01"), | |
}); | |
var dup1883 = match({ | |
dissect: { | |
tokenizer: ", Addr %{hostip}: Session Attribute endpoint.device.MAC[\"%{macaddr}\"]=\"%{fld2}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1884 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:02"), | |
}); | |
var dup1885 = match({ | |
dissect: { | |
tokenizer: ", Addr %{hostip}: Session Attribute endpoint.os.version=\"%{version}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1886 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:03"), | |
}); | |
var dup1887 = match({ | |
dissect: { | |
tokenizer: ", Addr %{hostip}: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1888 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003"), | |
}); | |
var dup1889 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735011"), | |
}); | |
var dup1890 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103002:01"), | |
}); | |
var dup1891 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("103002"), | |
}); | |
var dup1892 = match({ | |
dissect: { | |
tokenizer: " %{interface} experienced a hardware transmit hang. %{result}.", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1893 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411005"), | |
}); | |
var dup1894 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415004"), | |
}); | |
var dup1895 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415004:01"), | |
}); | |
var dup1896 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415009"), | |
}); | |
var dup1897 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709008"), | |
}); | |
var dup1898 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718010"), | |
}); | |
var dup1899 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("331001"), | |
}); | |
var dup1900 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210002"), | |
}); | |
var dup1901 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400044"), | |
}); | |
var dup1902 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709005"), | |
}); | |
var dup1903 = match({ | |
dissect: { | |
tokenizer: ", IP %{saddr} has been created.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1904 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721016"), | |
}); | |
var dup1905 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105005"), | |
}); | |
var dup1906 = match({ | |
dissect: { | |
tokenizer: "Authorization permitted for user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1907 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109007"), | |
}); | |
var dup1908 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("208005"), | |
}); | |
var dup1909 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400011"), | |
}); | |
var dup1910 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409001"), | |
}); | |
var dup1911 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("612001"), | |
}); | |
var dup1912 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713147"), | |
}); | |
var dup1913 = match({ | |
dissect: { | |
tokenizer: "SMTP: Bad Checksum %{network_service} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1914 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Request %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Response %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1915 = match({ | |
dissect: { | |
tokenizer: " from %{sinterface}:%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1916 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1917 = match({ | |
dissect: { | |
tokenizer: " to %{dinterface}:%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup1918 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{daddr} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup1919 = match({ | |
dissect: { | |
tokenizer: ";%{info}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup1920 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108004:01"), | |
}); | |
var dup1921 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("108004"), | |
}); | |
var dup1922 = match({ | |
dissect: { | |
tokenizer: "ESMTP Classification: %{action} for %{network_service} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1923 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108004:02"), | |
}); | |
var dup1924 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720006"), | |
}); | |
var dup1925 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("734004"), | |
}); | |
var dup1926 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746002"), | |
}); | |
var dup1927 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("434004"), | |
}); | |
var dup1928 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("315001"), | |
}); | |
var dup1929 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305001"), | |
}); | |
var dup1930 = match({ | |
dissect: { | |
tokenizer: "Authorization %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1931 = match({ | |
dissect: { | |
tokenizer: ": Cmd: %{action} Cmdtype: %{fld1}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1932 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("610101"), | |
}); | |
var dup1933 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105042"), | |
}); | |
var dup1934 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409007"), | |
}); | |
var dup1935 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Testing %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1936 = match({ | |
dissect: { | |
tokenizer: " %{interface}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1937 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105008"), | |
}); | |
var dup1938 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001020205"), | |
}); | |
var dup1939 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400051"), | |
}); | |
var dup1940 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("419001"), | |
}); | |
var dup1941 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("746001"), | |
}); | |
var dup1942 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("336010"), | |
}); | |
var dup1943 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("317002"), | |
}); | |
var dup1944 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709004"), | |
}); | |
var dup1945 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("747016"), | |
}); | |
var dup1946 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("212004"), | |
}); | |
var dup1947 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403506"), | |
}); | |
var dup1948 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("505005"), | |
}); | |
var dup1949 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713225"), | |
}); | |
var dup1950 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717027"), | |
}); | |
var dup1951 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("322004"), | |
}); | |
var dup1952 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400005"), | |
}); | |
var dup1953 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400006"), | |
}); | |
var dup1954 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("606004"), | |
}); | |
var dup1955 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717008"), | |
}); | |
var dup1956 = match({ | |
dissect: { | |
tokenizer: "Device completed SSL handshake with %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1957 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " server %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " client %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1958 = match({ | |
dissect: { | |
tokenizer: " %{interface}:%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1959 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{fld1}_%{fld2}_%{saddr}/%{sport} to %{daddr}/%{dport} for %{version} session %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{daddr}/%{dport} for %{version} session %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{hostip}/%{network_port}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1960 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613050100"), | |
}); | |
var dup1961 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725002"), | |
}); | |
var dup1962 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("212003"), | |
}); | |
var dup1963 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("409012"), | |
}); | |
var dup1964 = match({ | |
dissect: { | |
tokenizer: " dropped blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1965 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338005"), | |
}); | |
var dup1966 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("710003"), | |
}); | |
var dup1967 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713199"), | |
}); | |
var dup1968 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("716052"), | |
}); | |
var dup1969 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717046"), | |
}); | |
var dup1970 = match({ | |
dissect: { | |
tokenizer: "SSL session with %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1971 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{daddr}/%{dport} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{hostip}/%{network_port} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup1972 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "terminated.%{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "terminated%{p4}", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup1973 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725007"), | |
}); | |
var dup1974 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("444100"), | |
}); | |
var dup1975 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("338307"), | |
}); | |
var dup1976 = match({ | |
dissect: { | |
tokenizer: "Shun %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1977 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " deleted: %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " delete: %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup1978 = match({ | |
dissect: { | |
tokenizer: " %{hostip}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1979 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401003"), | |
}); | |
var dup1980 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} from %{saddr}/%{smacaddr} on interface inside with existing ARP entry %{fld1}/%{fld2} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1981 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030300"), | |
}); | |
var dup1982 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405001"), | |
}); | |
var dup1983 = match({ | |
dissect: { | |
tokenizer: "%{service}: An %{agent} SA (SPI= %{fld1}) between %{saddr} and %{daddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1984 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702307"), | |
}); | |
var dup1985 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713124"), | |
}); | |
var dup1986 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, construct_cfg_set: %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1987 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715020"), | |
}); | |
var dup1988 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715066"), | |
}); | |
var dup1989 = match({ | |
dissect: { | |
tokenizer: " locked out on %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup1990 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113006"), | |
}); | |
var dup1991 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713145"), | |
}); | |
var dup1992 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " IP = %{saddr} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{space} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup1993 = match({ | |
dissect: { | |
tokenizer: " IKE_DECODE %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup1994 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " SENDING %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " RECEIVED %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " RESENDING %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup1995 = match({ | |
dissect: { | |
tokenizer: " Message%{}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup1996 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713236"), | |
}); | |
var dup1997 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403110"), | |
}); | |
var dup1998 = match({ | |
dissect: { | |
tokenizer: "AAA %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup1999 = match({ | |
dissect: { | |
tokenizer: " server not accessible : server = %{hostip} : user = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2000 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113014"), | |
}); | |
var dup2001 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("610002"), | |
}); | |
var dup2002 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106017"), | |
}); | |
var dup2003 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1001030000"), | |
}); | |
var dup2004 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106017:01"), | |
}); | |
var dup2005 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("500001"), | |
}); | |
var dup2006 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752008"), | |
}); | |
var dup2007 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400037"), | |
}); | |
var dup2008 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106013:01"), | |
}); | |
var dup2009 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106013"), | |
}); | |
var dup2010 = match({ | |
dissect: { | |
tokenizer: " from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface} using %{protocol}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2011 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109025"), | |
}); | |
var dup2012 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("320001"), | |
}); | |
var dup2013 = match({ | |
dissect: { | |
tokenizer: " add failed: unable to allocate resources for %{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2014 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{daddr} %{sport} %{dport} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup2015 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401005"), | |
}); | |
var dup2016 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("406001"), | |
}); | |
var dup2017 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018"), | |
}); | |
var dup2018 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018:01"), | |
}); | |
var dup2019 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018:02"), | |
}); | |
var dup2020 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018:03"), | |
}); | |
var dup2021 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018:04"), | |
}); | |
var dup2022 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199018:05"), | |
}); | |
var dup2023 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105002"), | |
}); | |
var dup2024 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201013"), | |
}); | |
var dup2025 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720039"), | |
}); | |
var dup2026 = match({ | |
dissect: { | |
tokenizer: "[%{protocol}] Unable to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2027 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " decipher %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " decypher %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2028 = match({ | |
dissect: { | |
tokenizer: " response message Server = %{hostip}, User = %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2029 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109027"), | |
}); | |
var dup2030 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400034"), | |
}); | |
var dup2031 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("318004"), | |
}); | |
var dup2032 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group} IP %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " IP %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2033 = match({ | |
dissect: { | |
tokenizer: " = %{saddr} Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2034 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713219"), | |
}); | |
var dup2035 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715055"), | |
}); | |
var dup2036 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("209001"), | |
}); | |
var dup2037 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("311003"), | |
}); | |
var dup2038 = match({ | |
dissect: { | |
tokenizer: " %{action} whitelisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{web_domain}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2039 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338102"), | |
}); | |
var dup2040 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717016"), | |
}); | |
var dup2041 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752011"), | |
}); | |
var dup2042 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("324003"), | |
}); | |
var dup2043 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403102"), | |
}); | |
var dup2044 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715061"), | |
}); | |
var dup2045 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752002"), | |
}); | |
var dup2046 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201009"), | |
}); | |
var dup2047 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400050"), | |
}); | |
var dup2048 = match({ | |
dissect: { | |
tokenizer: " \u003e First %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2049 = match({ | |
dissect: { | |
tokenizer: " connection established for SVC session.%{}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup2050 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722033"), | |
}); | |
var dup2051 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199016"), | |
}); | |
var dup2052 = match({ | |
dissect: { | |
tokenizer: "Dropping invalid echo %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2053 = match({ | |
dissect: { | |
tokenizer: " from %{sinterface}:%{saddr} to %{dinterface}:%{daddr}, %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2054 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " destination %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " source %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2055 = match({ | |
dissect: { | |
tokenizer: " address %{fld1} should not match dynamic port translation, real %{fld2}:%{stransaddr}/%{stransport}, mapped %{fld3}:%{dtransaddr}/%{dtransport}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2056 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803010000"), | |
}); | |
var dup2057 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106028"), | |
}); | |
var dup2058 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106028:01"), | |
}); | |
var dup2059 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{duration} bytes %{bytes} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2060 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "\u003c\u003c%{result}\u003e (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{result} (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "(%{result}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p4}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2061 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:03"), | |
}); | |
var dup2062 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}(%{ddomain}\\%{c_username}) duration %{duration} bytes %{bytes} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2063 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "(%{result}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2064 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:02"), | |
}); | |
var dup2065 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{domain}\\%{fld3}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport}(%{fld3}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2066 = match({ | |
dissect: { | |
tokenizer: " %{dinterface}:%{daddr}/%{dport}(%{fld20}) duration %{duration} bytes %{bytes} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2067 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{info} (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{info}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2068 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:04"), | |
}); | |
var dup2069 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport}(%{fld3}) to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2070 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{info} (%{username})%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{info}%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2071 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:05"), | |
}); | |
var dup2072 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport}(%{domain}\\%{fld3}) to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr}/%{sport} to %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2073 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2074 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{info} (%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{info} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2075 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014"), | |
}); | |
var dup2076 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport} duration %{duration} bytes %{bytes} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2077 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (%{result}) %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{result} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2078 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:01"), | |
}); | |
var dup2079 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("421004"), | |
}); | |
var dup2080 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action}: %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2081 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715009"), | |
}); | |
var dup2082 = match({ | |
dissect: { | |
tokenizer: ", %{action}: %{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2083 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715009:01"), | |
}); | |
var dup2084 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} access DENIED to specified location: %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2085 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716004"), | |
}); | |
var dup2086 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717003"), | |
}); | |
var dup2087 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("120011"), | |
}); | |
var dup2088 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105043"), | |
}); | |
var dup2089 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("313005"), | |
}); | |
var dup2090 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("721010"), | |
}); | |
var dup2091 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1613050200"), | |
}); | |
var dup2092 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725006:01"), | |
}); | |
var dup2093 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("725006"), | |
}); | |
var dup2094 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735012"), | |
}); | |
var dup2095 = match({ | |
dissect: { | |
tokenizer: "(%{fld1}) %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2096 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "S%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "s%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2097 = match({ | |
dissect: { | |
tokenizer: "tandby unit failed to sync due to a locked %{fld2} config. Lock held by %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2098 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601020000"), | |
}); | |
var dup2099 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105021"), | |
}); | |
var dup2100 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720029"), | |
}); | |
var dup2101 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720045"), | |
}); | |
var dup2102 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} (%{saddr})%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2103 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("604103"), | |
}); | |
var dup2104 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702211:01"), | |
}); | |
var dup2105 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702211"), | |
}); | |
var dup2106 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713193"), | |
}); | |
var dup2107 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720068"), | |
}); | |
var dup2108 = match({ | |
dissect: { | |
tokenizer: "Device supports the following %{fld1} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2109 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "cipher(s).%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "cipher(s)%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2110 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725010"), | |
}); | |
var dup2111 = match({ | |
dissect: { | |
tokenizer: "Device selects trust-point %{network_service} for client %{interface}:%{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2112 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{fld1}_%{fld2}_%{saddr}/%{sport} to %{daddr}/%{dport} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} to %{daddr}/%{dport} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2113 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725016"), | |
}); | |
var dup2114 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415005"), | |
}); | |
var dup2115 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403101"), | |
}); | |
var dup2116 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " disconnected %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " disconnect %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2117 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602203:01"), | |
}); | |
var dup2118 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602203"), | |
}); | |
var dup2119 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400016"), | |
}); | |
var dup2120 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("413002"), | |
}); | |
var dup2121 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415010"), | |
}); | |
var dup2122 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713221"), | |
}); | |
var dup2123 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("735005"), | |
}); | |
var dup2124 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("771002"), | |
}); | |
var dup2125 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "PAT%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "NAT%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2126 = match({ | |
dissect: { | |
tokenizer: " pool exhausted. Unable to create %{protocol} connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2127 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803020000"), | |
}); | |
var dup2128 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202010"), | |
}); | |
var dup2129 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201010"), | |
}); | |
var dup2130 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1601020000"), | |
}); | |
var dup2131 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302019"), | |
}); | |
var dup2132 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602201"), | |
}); | |
var dup2133 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("602201:01"), | |
}); | |
var dup2134 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602303"), | |
}); | |
var dup2135 = match({ | |
dissect: { | |
tokenizer: " IP \u003c\u003c%{saddr}\u003e SVC Message: %{info}/NOTICE: %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2136 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description}(%{fld1}) %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2137 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722012"), | |
}); | |
var dup2138 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("202001"), | |
}); | |
var dup2139 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action} Session Type: %{network_service}, Duration: %{day}d %{hour}h:%{min}m:%{second}s, Bytes xmt: %{sbytes}, Bytes rcv: %{rbytes}, Reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2140 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019:01"), | |
}); | |
var dup2141 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action} Session Type: %{network_service}, Duration: %{hour}h:%{min}m:%{second}s, Bytes xmt: %{sbytes}, Bytes rcv: %{rbytes}, Reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2142 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019:02"), | |
}); | |
var dup2143 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr}, %{action} Session Type: %{network_service}, Duration: %{duration}, Bytes xmt: %{sbytes}, Bytes rcv: %{rbytes}, Reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2144 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019"), | |
}); | |
var dup2145 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("507002"), | |
}); | |
var dup2146 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720038"), | |
}); | |
var dup2147 = match({ | |
dissect: { | |
tokenizer: "User \"%{username}\" chose to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2148 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " disable %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " postpone %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2149 = match({ | |
dissect: { | |
tokenizer: " call-home anonymous reporting at the prompt.%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2150 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120012"), | |
}); | |
var dup2151 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("304009"), | |
}); | |
var dup2152 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403505"), | |
}); | |
var dup2153 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " udp %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " tcp %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2154 = match({ | |
dissect: { | |
tokenizer: " flow from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} terminated by %{service}, reason - %{result}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2155 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("507003"), | |
}); | |
var dup2156 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr} , %{action}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2157 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903"), | |
}); | |
var dup2158 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Group = %{group} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = '%{username}' %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Username = %{username} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2159 = match({ | |
dissect: { | |
tokenizer: ", IP = %{saddr} , %{action}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2160 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903:01"), | |
}); | |
var dup2161 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713903:02"), | |
}); | |
var dup2162 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{event_description} on Port %{network_port} from %{saddr}:%{sport} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{event_description}%{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2163 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903:03"), | |
}); | |
var dup2164 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715027"), | |
}); | |
var dup2165 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("199005"), | |
}); | |
var dup2166 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109009"), | |
}); | |
var dup2167 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("305007"), | |
}); | |
var dup2168 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403500"), | |
}); | |
var dup2169 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("405103"), | |
}); | |
var dup2170 = match({ | |
dissect: { | |
tokenizer: "%{service} RAS message AdmissionConfirm received from %{saddr}/%{sport} to %{daddr}/%{dport} %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2171 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " without an %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " withoutan %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2172 = match({ | |
dissect: { | |
tokenizer: "%{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2173 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405105"), | |
}); | |
var dup2174 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("420002:01"), | |
}); | |
var dup2175 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("420002"), | |
}); | |
var dup2176 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611302"), | |
}); | |
var dup2177 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109003"), | |
}); | |
var dup2178 = match({ | |
dissect: { | |
tokenizer: "Auth from %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2179 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{saddr}/%{sport} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{saddr} %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2180 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{daddr}/%{dport} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{daddr} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2181 = match({ | |
dissect: { | |
tokenizer: " failed %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2182 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " (all servers failed) %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " (server %{hostip} failed) %{p5}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup2183 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109003:01"), | |
}); | |
var dup2184 = match({ | |
dissect: { | |
tokenizer: "%{protocol} access permitted from %{saddr}/%{sport} to %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2185 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{fld1}:%{daddr}/%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2186 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710002"), | |
}); | |
var dup2187 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713202"), | |
}); | |
var dup2188 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("769004"), | |
}); | |
var dup2189 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("106101"), | |
}); | |
var dup2190 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("325002"), | |
}); | |
var dup2191 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400042"), | |
}); | |
var dup2192 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611313"), | |
}); | |
var dup2193 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("614002"), | |
}); | |
var dup2194 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("715035"), | |
}); | |
var dup2195 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1901000000"), | |
}); | |
var dup2196 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("CISCOASA_GENERIC_02"), | |
}); | |
var dup2197 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("CISCOASA_GENERIC_01"), | |
}); | |
var dup2198 = match({ | |
dissect: { | |
tokenizer: " has parsing error; ACE %{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2199 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109019"), | |
}); | |
var dup2200 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400002"), | |
}); | |
var dup2201 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400007"), | |
}); | |
var dup2202 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("402118"), | |
}); | |
var dup2203 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate CTIQBE %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2204 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " RTP %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " RTCP %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2205 = match({ | |
dissect: { | |
tokenizer: " secondary channel for %{sinterface}:%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2206 = match({ | |
dissect: { | |
tokenizer: " from %{fld1}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup2207 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("620001:01"), | |
}); | |
var dup2208 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("620001"), | |
}); | |
var dup2209 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("717028"), | |
}); | |
var dup2210 = match({ | |
dissect: { | |
tokenizer: " Transmitting large packet %{bytes} (%{info})", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2211 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722036"), | |
}); | |
var dup2212 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("730010"), | |
}); | |
var dup2213 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("209004"), | |
}); | |
var dup2214 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("611306"), | |
}); | |
var dup2215 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709003"), | |
}); | |
var dup2216 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720037"), | |
}); | |
var dup2217 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("752010"), | |
}); | |
var dup2218 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("605002"), | |
}); | |
var dup2219 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("110002"), | |
}); | |
var dup2220 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("110002:01"), | |
}); | |
var dup2221 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("501101"), | |
}); | |
var dup2222 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("501101:01"), | |
}); | |
var dup2223 = match({ | |
dissect: { | |
tokenizer: "Group %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2224 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "\u003c\u003c%{group}\u003e User %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{group} User %{p1}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup2225 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "\u003c\u003c%{username}\u003e IP %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{username} IP %{p2}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup2226 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "\u003c\u003c%{saddr}\u003e SVC Message: %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{saddr} SVC Message: %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2227 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722010"), | |
}); | |
var dup2228 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} is attacking. %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{hostip} is targeted. %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2229 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1103000000"), | |
}); | |
var dup2230 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("733101"), | |
}); | |
var dup2231 = match({ | |
dissect: { | |
tokenizer: ", Addr %{hostip}, %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2232 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734001"), | |
}); | |
var dup2233 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("105007"), | |
}); | |
var dup2234 = match({ | |
dissect: { | |
tokenizer: " greylisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2235 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338202"), | |
}); | |
var dup2236 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("500004"), | |
}); | |
var dup2237 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718044"), | |
}); | |
var dup2238 = match({ | |
dissect: { | |
tokenizer: " has config error; ACE %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2239 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " : '%{info}' %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " %{space} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2240 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109020"), | |
}); | |
var dup2241 = match({ | |
dissect: { | |
tokenizer: "@%{daddr} %{action} %{saddr}:%{url}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2242 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303002"), | |
}); | |
var dup2243 = match({ | |
dissect: { | |
tokenizer: "FTP connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, user %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2244 = match({ | |
dissect: { | |
tokenizer: " %{action} file %{filename}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2245 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303002:02"), | |
}); | |
var dup2246 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("303002:01"), | |
}); | |
var dup2247 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400010"), | |
}); | |
var dup2248 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400032"), | |
}); | |
var dup2249 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("718059"), | |
}); | |
var dup2250 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111005"), | |
}); | |
var dup2251 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("709001"), | |
}); | |
var dup2252 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("210010"), | |
}); | |
var dup2253 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: " Pre-allocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: " Preallocate %{p0}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup2254 = match({ | |
dissect: { | |
tokenizer: " %{network_service} Call Signalling Connection for faddr %{saddr}/%{sport} to laddr %{daddr}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2255 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302012"), | |
}); | |
var dup2256 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400013"), | |
}); | |
var dup2257 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720005"), | |
}); | |
var dup2258 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("720055"), | |
}); | |
var dup2259 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("776251"), | |
}); | |
var dup2260 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("112001"), | |
}); | |
var dup2261 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403103"), | |
}); | |
var dup2262 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("713227"), | |
}); | |
var dup2263 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201007"), | |
}); | |
var dup2264 = match({ | |
dissect: { | |
tokenizer: "Reload scheduled for %{fld1} by %{p0}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup2265 = match({ | |
dissect: { | |
tokenizer: " at %{fld2}. Reload reason: %{result}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2266 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199007"), | |
}); | |
var dup2267 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("302008"), | |
}); | |
var dup2268 = match({ | |
dissect: { | |
tokenizer: " %{action} whitelisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{hostip} resolved from %{listnum} list:%{info}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2269 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338103"), | |
}); | |
var dup2270 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("608001:01"), | |
}); | |
var dup2271 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("608001"), | |
}); | |
var dup2272 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("730001"), | |
}); | |
var dup2273 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("730002"), | |
}); | |
var dup2274 = set_field({ | |
dest: "nwparser.nwparser.eventcategory", | |
value: constant("1301010000"), | |
}); | |
var dup2275 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("109017"), | |
}); | |
var dup2276 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("201011"), | |
}); | |
var dup2277 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("303003"), | |
}); | |
var dup2278 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("614001"), | |
}); | |
var dup2279 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("111003"), | |
}); | |
var dup2280 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("400026"), | |
}); | |
var dup2281 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("403504"), | |
}); | |
var dup2282 = set_field({ | |
dest: "nwparser.nwparser.msg_id1", | |
value: constant("415012"), | |
}); | |
var dup2283 = match({ | |
dissect: { | |
tokenizer: " greylisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), source %{fld1} resolved from %{fld2} list:%{web_domain} threat-level: %{severity}, category: %{result}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2284 = set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338201"), | |
}); | |
var dup2285 = call({ | |
dest: "nwparser.", | |
fn: SYSVAL, | |
args: [ | |
field("$MSGID"), | |
field("$ID1"), | |
], | |
}); | |
var dup2286 = call({ | |
dest: "nwparser.level", | |
fn: HDR, | |
args: [ | |
field("level"), | |
], | |
}); | |
var dup2287 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dN,dU,dO], | |
}); | |
var dup2288 = set_field({ | |
dest: "nwparser.msg", | |
value: field("$MSG"), | |
}); | |
var dup2289 = call({ | |
dest: "nwparser.id", | |
fn: HDR, | |
args: [ | |
field("messageid"), | |
], | |
}); | |
var dup2290 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Configuration"), | |
}); | |
var dup2291 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Configuration"), | |
}); | |
var dup2292 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Modify"), | |
}); | |
var dup2293 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("failed"), | |
}); | |
var dup2294 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("Failed"), | |
}); | |
var dup2295 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Disable"), | |
}); | |
var dup2296 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Enable"), | |
}); | |
var dup2297 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Monitoring on interface"), | |
}); | |
var dup2298 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Testing Interface"), | |
}); | |
var dup2299 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Error"), | |
}); | |
var dup2300 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Deny"), | |
}); | |
var dup2301 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Communication"), | |
}); | |
var dup2302 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("NetworkComm"), | |
}); | |
var dup2303 = call({ | |
dest: "nwparser.inout", | |
fn: DIRCHK, | |
args: [ | |
field("saddr"), | |
], | |
}); | |
var dup2304 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection denied"), | |
}); | |
var dup2305 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Translation denied"), | |
}); | |
var dup2306 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("icmp"), | |
}); | |
var dup2307 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection dropped"), | |
}); | |
var dup2308 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("ICMP"), | |
}); | |
var dup2309 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("TEV"), | |
}); | |
var dup2310 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-list"), | |
}); | |
var dup2311 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-group"), | |
}); | |
var dup2312 = date_times({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmts: [ | |
[dB,dF,dW,dN,dU,dO], | |
[dB,dF,dN,dU,dO], | |
], | |
}); | |
var dup2313 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("ALM"), | |
}); | |
var dup2314 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Failure"), | |
}); | |
var dup2315 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("Hitcount"), | |
}); | |
var dup2316 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Success"), | |
}); | |
var dup2317 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permitted"), | |
}); | |
var dup2318 = match({ | |
dissect: { | |
tokenizer: "%{dclass_counter1} %{info}%{info}%{info}%{info}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup2319 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("HitCount"), | |
}); | |
var dup2320 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Authentication"), | |
}); | |
var dup2321 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("User"), | |
}); | |
var dup2322 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("authentication failed"), | |
}); | |
var dup2323 = set_field({ | |
dest: "nwparser.result", | |
value: constant("all servers failed"), | |
}); | |
var dup2324 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Permit"), | |
}); | |
var dup2325 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("AccessControl"), | |
}); | |
var dup2326 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Authorization denied"), | |
}); | |
var dup2327 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Unknown"), | |
}); | |
var dup2328 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authorization denied"), | |
}); | |
var dup2329 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authentication Failed"), | |
}); | |
var dup2330 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Interactive challenge processing not supported"), | |
}); | |
var dup2331 = constant("Routing failed to locate next-hop"); | |
var dup2332 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Read"), | |
}); | |
var dup2333 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Delete"), | |
}); | |
var dup2334 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Stop"), | |
}); | |
var dup2335 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logon"), | |
}); | |
var dup2336 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User executed command"), | |
}); | |
var dup2337 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("user authentication rejected"), | |
}); | |
var dup2338 = set_field({ | |
dest: "nwparser.result", | |
value: constant("retrieved default group policy"), | |
}); | |
var dup2339 = call({ | |
dest: "nwparser.bytes", | |
fn: CALC, | |
args: [ | |
field("sbytes"), | |
constant("+"), | |
field("rbytes"), | |
], | |
}); | |
var dup2340 = set_field({ | |
dest: "nwparser.event_type", | |
value: constant("VPN"), | |
}); | |
var dup2341 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embryonic limit exceeded"), | |
}); | |
var dup2342 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embyonic connection limit exceeded"), | |
}); | |
var dup2343 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Encryption"), | |
}); | |
var dup2344 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("CryptoKey"), | |
}); | |
var dup2345 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("UDP"), | |
}); | |
var dup2346 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("inbound"), | |
}); | |
var dup2347 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("outbound"), | |
}); | |
var dup2348 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown connection"), | |
}); | |
var dup2349 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("TCP"), | |
}); | |
var dup2350 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("build connection"), | |
}); | |
var dup2351 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection pre-allocated"), | |
}); | |
var dup2352 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown connection"), | |
}); | |
var dup2353 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rebuilt connection"), | |
}); | |
var dup2354 = match({ | |
dissect: { | |
tokenizer: "%{sport} (%{stransaddr}/%{stransport}))", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup2355 = call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%N:%U:%O"), | |
field("duration"), | |
], | |
}); | |
var dup2356 = match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p7}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var dup2357 = linear_select([ | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username})%{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{username} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup2358 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built connection"), | |
}); | |
var dup2359 = call({ | |
dest: "nwparser.protocol", | |
fn: action2Proto, | |
args: [ | |
field("action"), | |
], | |
}); | |
var dup2360 = call({ | |
dest: "nwparser.urldomain", | |
fn: URL, | |
args: [ | |
field("$DOMAIN"), | |
field("url"), | |
], | |
}); | |
var dup2361 = call({ | |
dest: "nwparser.urlroot", | |
fn: URL, | |
args: [ | |
field("$ROOT"), | |
field("url"), | |
], | |
}); | |
var dup2362 = call({ | |
dest: "nwparser.urlpage", | |
fn: URL, | |
args: [ | |
field("$PAGE"), | |
field("url"), | |
], | |
}); | |
var dup2363 = call({ | |
dest: "nwparser.urlquery", | |
fn: URL, | |
args: [ | |
field("$QUERY"), | |
field("url"), | |
], | |
}); | |
var dup2364 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Accessed"), | |
}); | |
var dup2365 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("HTTP"), | |
}); | |
var dup2366 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown translation"), | |
}); | |
var dup2367 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No translation group found"), | |
}); | |
var dup2368 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("translation creation failed"), | |
}); | |
var dup2369 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built translation"), | |
}); | |
var dup2370 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport}%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup2371 = set_field({ | |
dest: "nwparser.result", | |
value: constant("due to NAT reverse path failure"), | |
}); | |
var dup2372 = set_field({ | |
dest: "nwparser.dport", | |
value: constant("23"), | |
}); | |
var dup2373 = set_field({ | |
dest: "nwparser.sport", | |
value: constant("0"), | |
}); | |
var dup2374 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied login session"), | |
}); | |
var dup2375 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("login session failure"), | |
}); | |
var dup2376 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session limit exceeded"), | |
}); | |
var dup2377 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid destination"), | |
}); | |
var dup2378 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Login session failed"), | |
}); | |
var dup2379 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Web Cache acquired"), | |
}); | |
var dup2380 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Create"), | |
}); | |
var dup2381 = lookup({ | |
dest: "nwparser.src_zone", | |
map: map_srcDirName, | |
key: field("inout"), | |
}); | |
var dup2382 = lookup({ | |
dest: "nwparser.dst_zone", | |
map: map_dstDirName, | |
key: field("inout"), | |
}); | |
var dup2383 = call({ | |
dest: "nwparser.sigcat", | |
fn: SYSVAL, | |
args: [ | |
field("$CATEGORY"), | |
], | |
}); | |
var dup2384 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid IPSEC packet"), | |
}); | |
var dup2385 = set_field({ | |
dest: "nwparser.service", | |
value: constant("IPSEC"), | |
}); | |
var dup2386 = set_field({ | |
dest: "nwparser.result", | |
value: constant("hardware accelerator error"), | |
}); | |
var dup2387 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create new connection"), | |
}); | |
var dup2388 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("FTP connection terminated"), | |
}); | |
var dup2389 = set_field({ | |
dest: "nwparser.result", | |
value: constant("for through connections"), | |
}); | |
var dup2390 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropped DNS UDP packet - length exceeded"), | |
}); | |
var dup2391 = set_field({ | |
dest: "nwparser.context", | |
value: constant("Content type not found"), | |
}); | |
var dup2392 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("icmp packet denied"), | |
}); | |
var dup2393 = set_field({ | |
dest: "nwparser.result", | |
value: constant("to/from mangement-only network"), | |
}); | |
var dup2394 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("packet denied"), | |
}); | |
var dup2395 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IPS request to drop packet"), | |
}); | |
var dup2396 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("UserGroup"), | |
}); | |
var dup2397 = match({ | |
dissect: { | |
tokenizer: "%{application}\", %{info}%{info}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup2398 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an ICMP Destination Unreachable"), | |
}); | |
var dup2399 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ISAKMP session connected"), | |
}); | |
var dup2400 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ISAKMP session disconnected"), | |
}); | |
var dup2401 = constant("Login denied"); | |
var dup2402 = set_field({ | |
dest: "nwparser.result", | |
value: constant("User authentication succeeded"), | |
}); | |
var dup2403 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User Authentication failed"), | |
}); | |
var dup2404 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logoff"), | |
}); | |
var dup2405 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT configured"), | |
}); | |
var dup2406 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT exemption configured"), | |
}); | |
var dup2407 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Policy installed"), | |
}); | |
var dup2408 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Pre-allocate connection"), | |
}); | |
var dup2409 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 delete received"), | |
}); | |
var dup2410 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 delete sent"), | |
}); | |
var dup2411 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DPD timed out"), | |
}); | |
var dup2412 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 retransmission"), | |
}); | |
var dup2413 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("malformed payload received"), | |
}); | |
var dup2414 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("duplicate packet detected"), | |
}); | |
var dup2415 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange started"), | |
}); | |
var dup2416 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange completed"), | |
}); | |
var dup2417 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 initiating rekey"), | |
}); | |
var dup2418 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("request discarded"), | |
}); | |
var dup2419 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator New/Rekeying Phase"), | |
}); | |
var dup2420 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Tunnel Rejected"), | |
}); | |
var dup2421 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Message"), | |
}); | |
var dup2422 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Receive"), | |
}); | |
var dup2423 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rekeying duration changed"), | |
}); | |
var dup2424 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE lost contact with remote peer deleting connection"), | |
}); | |
var dup2425 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection Redirected via Load Balancing"), | |
}); | |
var dup2426 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("deleting static route for address"), | |
}); | |
var dup2427 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Remote peer has failed user authentication"), | |
}); | |
var dup2428 = constant("Tunnel Rejected"); | |
var dup2429 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Client allowed"), | |
}); | |
var dup2430 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Static Crypto Map check"), | |
}); | |
var dup2431 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session is being torn down"), | |
}); | |
var dup2432 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKEGetUserAttributes"), | |
}); | |
var dup2433 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Certificate"), | |
}); | |
var dup2434 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SVC connection established"), | |
}); | |
var dup2435 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SVC Session Termination"), | |
}); | |
var dup2436 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session terminated"), | |
}); | |
var dup2437 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("assigned to session"), | |
}); | |
var dup2438 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Starting SSL handshake"), | |
}); | |
var dup2439 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SSL server requesting certificate for authentication"), | |
}); | |
var dup2440 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device failed SSL handshake"), | |
}); | |
var dup2441 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device proposes cipher(s)"), | |
}); | |
var dup2442 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device chooses cipher for the SSL session"), | |
}); | |
var dup2443 = set_field({ | |
dest: "nwparser.result", | |
value: constant("DHCP configured"), | |
}); | |
var dup2444 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Local pool request succeeded "), | |
}); | |
var dup2445 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Address assignment failed"), | |
}); | |
var dup2446 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Freeing local pool address"), | |
}); | |
var dup2447 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to get address from group-policy or tunnel-group"), | |
}); | |
var dup2448 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Succeeded"), | |
}); | |
var dup2449 = constant("Failed"); | |
var dup2450 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dH,dT,dS], | |
}); | |
var dup2451 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied IPv6-ICMP"), | |
}); | |
var dup2452 = set_field({ | |
dest: "nwparser.id", | |
value: field("p_msgid"), | |
}); | |
var dup2453 = set_field({ | |
dest: "nwparser.msg_id", | |
value: field("p_msgid"), | |
}); | |
var dup2454 = set_field({ | |
dest: "nwparser.vid", | |
value: field("p_msgid"), | |
}); | |
var dup2455 = constant("INSIDE"); | |
var dup2456 = constant("OUTSIDE"); | |
var hdr1 = match({ | |
dissect: { | |
tokenizer: "%ASA-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr2 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{year} %{hhour}:%{hmin}:%{hsec} %{hostip} : %ASA-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr3 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{year} %{hhour}:%{hmin}:%{hsec} %{hhost}: %ASA-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr4 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{year} %{p0}", | |
field: "message", | |
}, | |
}); | |
var msg1 = match({ | |
dissect: { | |
tokenizer: "%{hhour}:%{hmin}:%{hsec}: %ASA%{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg2 = match({ | |
dissect: { | |
tokenizer: "%{hhour}:%{hmin}:%{hsec} %ASA%{p1}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select1 = linear_select([ | |
msg1, | |
msg2, | |
]); | |
var msg3 = match({ | |
dissect: { | |
tokenizer: "-%{level}-%{messageid}: %{payload}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all1 = all_match({ | |
processors: [ | |
hdr4, | |
select1, | |
msg3, | |
], | |
}); | |
var hdr5 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{hhour}:%{hmin}:%{hsec} %{hostip} %ASA-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr6 = match({ | |
dissect: { | |
tokenizer: "%{paddr} %ASA-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr7 = match({ | |
dissect: { | |
tokenizer: ":%{month} %{day} %{hhour}:%{hmin}:%{hsec} %{timezone}: %ASA-%{hfld1}-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr8 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{hhour}:%{hmin}:%{hsec} %{timezone}: %ASA-%{hfld1}-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr9 = match({ | |
dissect: { | |
tokenizer: "%ASA-%{hfld1}-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr10 = match({ | |
dissect: { | |
tokenizer: "%ASA-%{level}-%{messageid} %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr11 = match({ | |
dissect: { | |
tokenizer: "%FWSM-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr12 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{year} %{hhour}:%{hmin}:%{hsec} %{paddr} : %FWSM-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr13 = match({ | |
dissect: { | |
tokenizer: "%{month} %{day} %{year} %{hhour}:%{hmin}:%{hsec} %FWSM-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr14 = match({ | |
dissect: { | |
tokenizer: "%{paddr} %FWSM-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr15 = match({ | |
dissect: { | |
tokenizer: ":%ASA-%{group}-%{level}-%{messageid}: %{payload}", | |
field: "message", | |
}, | |
}); | |
var hdr16 = match({ | |
dissect: { | |
tokenizer: "%ASA-%{payload}", | |
field: "message", | |
}, | |
on_success: processor_chain([ | |
dup0, | |
]), | |
}); | |
var hdr17 = match({ | |
dissect: { | |
tokenizer: "%{fld}%ASA-%{payload}", | |
field: "message", | |
}, | |
on_success: processor_chain([ | |
dup0, | |
]), | |
}); | |
var select2 = linear_select([ | |
hdr1, | |
hdr2, | |
hdr3, | |
all1, | |
hdr5, | |
hdr6, | |
hdr7, | |
hdr8, | |
hdr9, | |
hdr10, | |
hdr11, | |
hdr12, | |
hdr13, | |
hdr14, | |
hdr15, | |
hdr16, | |
hdr17, | |
]); | |
var msg4 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: packet missing %{fld2}, destadr=%{daddr}, actual prot=%{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2, | |
]), | |
}); | |
var all2 = all_match({ | |
processors: [ | |
dup3, | |
dup4, | |
dup5, | |
], | |
on_success: processor_chain([ | |
dup6, | |
dup7, | |
]), | |
}); | |
var all3 = all_match({ | |
processors: [ | |
dup8, | |
dup4, | |
dup9, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup11, | |
]), | |
}); | |
var all4 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup13, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup15, | |
]), | |
}); | |
var msg5 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup17, | |
]), | |
}); | |
var msg6 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, NAT-Discovery payloads missing. Aborting NAT-Traversal.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup19, | |
]), | |
}); | |
var msg7 = match({ | |
dissect: { | |
tokenizer: "Reloaded at %{event_time_string} by failover parser thread. Reload reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup21, | |
]), | |
}); | |
var all5 = all_match({ | |
processors: [ | |
dup22, | |
dup4, | |
dup23, | |
dup24, | |
], | |
on_success: processor_chain([ | |
dup25, | |
dup26, | |
]), | |
}); | |
var select3 = linear_select([ | |
msg7, | |
all5, | |
]); | |
var msg8 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content size %{priority} out of range - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup28, | |
]), | |
}); | |
var msg9 = match({ | |
dissect: { | |
tokenizer: "OBSOLETE DESCRIPTOR - INDEX %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup30, | |
]), | |
}); | |
var all6 = all_match({ | |
processors: [ | |
dup31, | |
dup32, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup34, | |
]), | |
}); | |
var msg10 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup35, | |
]), | |
}); | |
var msg11 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect parent session started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup36, | |
]), | |
}); | |
var msg12 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup37, | |
]), | |
}); | |
var msg13 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup38, | |
]), | |
}); | |
var msg14 = match({ | |
dissect: { | |
tokenizer: "Username = %{username}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup39, | |
]), | |
}); | |
var select4 = linear_select([ | |
msg12, | |
msg13, | |
msg14, | |
]); | |
var msg15 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup40, | |
]), | |
}); | |
var msg16 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator sending 1st QM pkt: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup42, | |
]), | |
}); | |
var select5 = linear_select([ | |
msg15, | |
msg16, | |
]); | |
var msg17 = match({ | |
dissect: { | |
tokenizer: "No route to %{daddr} from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup44, | |
]), | |
}); | |
var msg18 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} Group:%{group} IPv4 Address=%{stransaddr} IPv6 address=%{hostip_v6} assigned to session", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup46, | |
]), | |
}); | |
var msg19 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup48, | |
]), | |
}); | |
var msg20 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup50, | |
]), | |
}); | |
var msg21 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup51, | |
]), | |
}); | |
var msg22 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received DH key with bad length: received length=%{observed_val} expected length=%{expected_val}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup52, | |
]), | |
}); | |
var all7 = all_match({ | |
processors: [ | |
dup53, | |
dup54, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup56, | |
]), | |
}); | |
var msg23 = match({ | |
dissect: { | |
tokenizer: "Sent KEEPALIVE response to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup57, | |
]), | |
}); | |
var msg24 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup59, | |
]), | |
}); | |
var msg25 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup60, | |
]), | |
}); | |
var msg26 = match({ | |
dissect: { | |
tokenizer: "%{service} requested to drop %{protocol} packet from %{sinterface}:%{saddr}/%{sport} %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup62, | |
]), | |
}); | |
var all8 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup67, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup69, | |
]), | |
}); | |
var all9 = all_match({ | |
processors: [ | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
dup74, | |
dup75, | |
dup76, | |
dup77, | |
dup78, | |
dup79, | |
dup80, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup82, | |
]), | |
}); | |
var all10 = all_match({ | |
processors: [ | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
dup74, | |
dup75, | |
dup76, | |
dup77, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup83, | |
]), | |
}); | |
var select6 = linear_select([ | |
all9, | |
all10, | |
]); | |
var all11 = all_match({ | |
processors: [ | |
dup84, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup86, | |
]), | |
}); | |
var all12 = all_match({ | |
processors: [ | |
dup87, | |
dup88, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup90, | |
]), | |
}); | |
var all13 = all_match({ | |
processors: [ | |
dup91, | |
dup92, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup94, | |
]), | |
}); | |
var msg27 = match({ | |
dissect: { | |
tokenizer: "Dynamic filter updater server dynamically changed from %{change_old} to %{change_new}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup95, | |
]), | |
}); | |
var msg28 = match({ | |
dissect: { | |
tokenizer: "IKE port %{network_port} for IPSec UDP already reserved on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup96, | |
]), | |
}); | |
var all14 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup98, | |
]), | |
}); | |
var all15 = all_match({ | |
processors: [ | |
dup99, | |
dup100, | |
dup101, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup102, | |
]), | |
}); | |
var msg29 = match({ | |
dissect: { | |
tokenizer: "INFO: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup103, | |
]), | |
}); | |
var all16 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup105, | |
]), | |
}); | |
var select7 = linear_select([ | |
msg28, | |
all14, | |
all15, | |
msg29, | |
all16, | |
]); | |
var msg30 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup107, | |
]), | |
}); | |
var all17 = all_match({ | |
processors: [ | |
dup108, | |
dup4, | |
dup109, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup111, | |
]), | |
}); | |
var msg31 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup112, | |
]), | |
}); | |
var all18 = all_match({ | |
processors: [ | |
dup113, | |
dup4, | |
dup114, | |
], | |
on_success: processor_chain([ | |
dup115, | |
dup116, | |
]), | |
}); | |
var msg32 = match({ | |
dissect: { | |
tokenizer: "Revoked certificate issued to user: %{username} with serial number %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup117, | |
]), | |
}); | |
var msg33 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup118, | |
]), | |
}); | |
var msg34 = match({ | |
dissect: { | |
tokenizer: "Built %{context} translation from %{sinterface}:%{saddr} to %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup119, | |
]), | |
}); | |
var msg35 = match({ | |
dissect: { | |
tokenizer: "Web Cache %{saddr}/%{shost} lost", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup120, | |
]), | |
}); | |
var msg36 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with split tunneling: NAT addr: %{stransaddr} Split Tunnel Networks:", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup122, | |
]), | |
}); | |
var msg37 = match({ | |
dissect: { | |
tokenizer: "%{fld1} card in slot %{fld2} which is different from my %{fld3}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all19 = all_match({ | |
processors: [ | |
dup123, | |
dup124, | |
msg37, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup126, | |
]), | |
}); | |
var all20 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup128, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup129, | |
]), | |
}); | |
var msg38 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup130, | |
]), | |
}); | |
var msg39 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup132, | |
]), | |
}); | |
var msg40 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup133, | |
]), | |
}); | |
var msg41 = match({ | |
dissect: { | |
tokenizer: "%{application}: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup134, | |
]), | |
}); | |
var msg42 = match({ | |
dissect: { | |
tokenizer: "NAC policy added: name: \u003c\u003c%{policyname}\u003e Type: \u003c\u003c %{info} \u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup135, | |
dup136, | |
]), | |
}); | |
var msg43 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup138, | |
]), | |
}); | |
var all21 = all_match({ | |
processors: [ | |
dup139, | |
dup140, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup142, | |
]), | |
}); | |
var msg44 = match({ | |
dissect: { | |
tokenizer: "%{hostip} changed from area %{fld1} to area %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup143, | |
]), | |
}); | |
var all22 = all_match({ | |
processors: [ | |
dup144, | |
dup145, | |
dup146, | |
dup147, | |
dup148, | |
dup149, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup150, | |
]), | |
}); | |
var all23 = all_match({ | |
processors: [ | |
dup151, | |
dup152, | |
dup153, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup154, | |
]), | |
}); | |
var select8 = linear_select([ | |
all22, | |
all23, | |
]); | |
var msg45 = match({ | |
dissect: { | |
tokenizer: "Create group policy [%{policyname}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup155, | |
]), | |
}); | |
var all24 = all_match({ | |
processors: [ | |
dup156, | |
dup157, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup158, | |
]), | |
}); | |
var all25 = all_match({ | |
processors: [ | |
dup70, | |
dup159, | |
dup160, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup162, | |
]), | |
}); | |
var msg46 = match({ | |
dissect: { | |
tokenizer: "GTPv0 packet parsing error from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, TID: %{fld1}, Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup163, | |
]), | |
}); | |
var msg47 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup164, | |
]), | |
}); | |
var msg48 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received remote Proxy Host FQDN in ID Payload: Host Name: %{hostname} Address %{hostip}, Protocol %{protocol}, Port %{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup165, | |
]), | |
}); | |
var msg49 = match({ | |
dissect: { | |
tokenizer: "Permitted manager connection from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup167, | |
]), | |
}); | |
var msg50 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup169, | |
]), | |
}); | |
var msg51 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup171, | |
]), | |
}); | |
var msg52 = match({ | |
dissect: { | |
tokenizer: "Threat-detection removes host %{hostip} from shun list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup172, | |
]), | |
}); | |
var all26 = all_match({ | |
processors: [ | |
dup173, | |
dup174, | |
dup175, | |
dup176, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup178, | |
]), | |
}); | |
var all27 = all_match({ | |
processors: [ | |
dup179, | |
dup180, | |
dup181, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup182, | |
]), | |
}); | |
var select9 = linear_select([ | |
all26, | |
all27, | |
]); | |
var msg53 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup184, | |
]), | |
}); | |
var all28 = all_match({ | |
processors: [ | |
dup185, | |
dup186, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup187, | |
]), | |
}); | |
var all29 = all_match({ | |
processors: [ | |
dup188, | |
dup186, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup189, | |
]), | |
}); | |
var select10 = linear_select([ | |
all28, | |
all29, | |
]); | |
var all30 = all_match({ | |
processors: [ | |
dup190, | |
dup191, | |
dup192, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup194, | |
]), | |
}); | |
var msg54 = match({ | |
dissect: { | |
tokenizer: "Removing v1 PDP Context with TID %{fld1} from GGSN %{fld2} and SGSN %{fld3}, Reason: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup195, | |
]), | |
}); | |
var select11 = linear_select([ | |
all30, | |
msg54, | |
]); | |
var msg55 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup196, | |
]), | |
}); | |
var msg56 = match({ | |
dissect: { | |
tokenizer: "%{process}: Unable to get address from group-policy or tunnel-group local pools", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup197, | |
]), | |
}); | |
var msg57 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, Unable to get address from group-policy or tunnel-group local pools", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup198, | |
]), | |
}); | |
var select12 = linear_select([ | |
msg56, | |
msg57, | |
]); | |
var msg58 = match({ | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service} command", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup200, | |
]), | |
}); | |
var all31 = all_match({ | |
processors: [ | |
dup201, | |
dup202, | |
dup203, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup205, | |
]), | |
}); | |
var select13 = linear_select([ | |
msg58, | |
all31, | |
]); | |
var msg59 = match({ | |
dissect: { | |
tokenizer: "Detected %{network_service} size violation from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup206, | |
]), | |
}); | |
var all32 = all_match({ | |
processors: [ | |
dup207, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup210, | |
]), | |
}); | |
var msg60 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup211, | |
]), | |
}); | |
var msg61 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup212, | |
]), | |
}); | |
var all33 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup213, | |
dup214, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup216, | |
]), | |
}); | |
var all34 = all_match({ | |
processors: [ | |
dup217, | |
dup218, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup219, | |
]), | |
}); | |
var select14 = linear_select([ | |
all33, | |
all34, | |
]); | |
var msg62 = match({ | |
dissect: { | |
tokenizer: "Validating certificate chain containing %{fld1} certificate(s)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup221, | |
]), | |
}); | |
var msg63 = match({ | |
dissect: { | |
tokenizer: "Group %{group} User %{username} IP %{saddr} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup223, | |
]), | |
}); | |
var all35 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup224, | |
dup225, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup226, | |
]), | |
}); | |
var msg64 = match({ | |
dissect: { | |
tokenizer: "FTP port command different address: %{saddr}(%{fld1}) to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup227, | |
dup228, | |
]), | |
}); | |
var msg65 = match({ | |
dissect: { | |
tokenizer: "Unsupported CTIQBE version: %{fld1}: from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup229, | |
]), | |
}); | |
var msg66 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup230, | |
]), | |
}); | |
var select15 = linear_select([ | |
msg65, | |
msg66, | |
]); | |
var msg67 = match({ | |
dissect: { | |
tokenizer: "Tunnel Manager has failed to establish an L2L SA. %{result}. %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup231, | |
]), | |
}); | |
var msg68 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup233, | |
]), | |
}); | |
var all36 = all_match({ | |
processors: [ | |
dup234, | |
dup4, | |
dup5, | |
], | |
on_success: processor_chain([ | |
dup235, | |
dup236, | |
]), | |
}); | |
var msg69 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup237, | |
]), | |
}); | |
var all37 = all_match({ | |
processors: [ | |
dup238, | |
dup239, | |
dup240, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup241, | |
]), | |
}); | |
var msg70 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup242, | |
]), | |
}); | |
var msg71 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup244, | |
]), | |
}); | |
var msg72 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Tunnel detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup245, | |
]), | |
}); | |
var msg73 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup246, | |
]), | |
}); | |
var msg74 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup247, | |
]), | |
}); | |
var msg75 = match({ | |
dissect: { | |
tokenizer: "Out of connections! %{fld1}/%{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup248, | |
]), | |
}); | |
var all38 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup251, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup252, | |
]), | |
}); | |
var msg76 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup254, | |
]), | |
}); | |
var msg77 = match({ | |
dissect: { | |
tokenizer: "%{result}. License server is not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup255, | |
]), | |
}); | |
var msg78 = match({ | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr}/%{sport} to %{daddr}/%{dport} (%{result}) on interface %{interface} using %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
dup257, | |
]), | |
}); | |
var msg79 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} spoof from (%{saddr}) to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup259, | |
]), | |
}); | |
var msg80 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} spoof from (%{saddr}) to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup260, | |
]), | |
}); | |
var select16 = linear_select([ | |
msg79, | |
msg80, | |
]); | |
var msg81 = match({ | |
dissect: { | |
tokenizer: "Failed to update from dynamic filter updater server %{web_domain}, reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup262, | |
]), | |
}); | |
var msg82 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup263, | |
]), | |
}); | |
var msg83 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, DHCP configured, no viable servers found for tunnel-group '%{info}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup264, | |
]), | |
}); | |
var msg84 = match({ | |
dissect: { | |
tokenizer: "%{process}: DHCP configured, no viable servers found for tunnel-group '%{info}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup265, | |
]), | |
}); | |
var select17 = linear_select([ | |
msg83, | |
msg84, | |
]); | |
var msg85 = match({ | |
dissect: { | |
tokenizer: "%{process}: Client assigned %{hostip} from local pool", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup266, | |
]), | |
}); | |
var msg86 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, Client assigned %{hostip} from local pool", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup267, | |
]), | |
}); | |
var select18 = linear_select([ | |
msg85, | |
msg86, | |
]); | |
var msg87 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup269, | |
]), | |
}); | |
var all39 = all_match({ | |
processors: [ | |
dup270, | |
dup4, | |
dup271, | |
dup272, | |
dup273, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup274, | |
]), | |
}); | |
var all40 = all_match({ | |
processors: [ | |
dup270, | |
dup4, | |
dup275, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup276, | |
]), | |
}); | |
var select19 = linear_select([ | |
all39, | |
all40, | |
]); | |
var msg88 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup277, | |
]), | |
}); | |
var all41 = all_match({ | |
processors: [ | |
dup278, | |
dup279, | |
dup280, | |
dup281, | |
dup282, | |
dup283, | |
dup284, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup286, | |
]), | |
}); | |
var all42 = all_match({ | |
processors: [ | |
dup287, | |
dup279, | |
dup280, | |
dup281, | |
dup282, | |
dup283, | |
dup284, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup289, | |
]), | |
}); | |
var msg89 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} url %{url} hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup290, | |
]), | |
}); | |
var select20 = linear_select([ | |
all41, | |
all42, | |
msg89, | |
]); | |
var all43 = all_match({ | |
processors: [ | |
dup291, | |
dup4, | |
dup292, | |
dup293, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup294, | |
]), | |
}); | |
var msg90 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup295, | |
]), | |
}); | |
var msg91 = match({ | |
dissect: { | |
tokenizer: "%{action}[%{fld1}] : %{encryption_type}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup296, | |
]), | |
}); | |
var msg92 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup297, | |
]), | |
}); | |
var msg93 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup298, | |
]), | |
}); | |
var select21 = linear_select([ | |
msg92, | |
msg93, | |
]); | |
var msg94 = match({ | |
dissect: { | |
tokenizer: "Teardown portmap translation for global %{hostip}/%{network_port} local %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup299, | |
]), | |
}); | |
var msg95 = match({ | |
dissect: { | |
tokenizer: "LU xmit thread up%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup300, | |
]), | |
}); | |
var msg96 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup301, | |
]), | |
}); | |
var msg97 = match({ | |
dissect: { | |
tokenizer: "Fail to send to %{saddr} port %{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup302, | |
]), | |
}); | |
var msg98 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} SA DOWN. Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup303, | |
]), | |
}); | |
var all44 = all_match({ | |
processors: [ | |
dup304, | |
dup305, | |
dup306, | |
dup307, | |
dup308, | |
dup309, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup311, | |
]), | |
}); | |
var all45 = all_match({ | |
processors: [ | |
dup312, | |
dup305, | |
dup306, | |
dup307, | |
dup308, | |
dup309, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup313, | |
]), | |
}); | |
var select22 = linear_select([ | |
all44, | |
all45, | |
]); | |
var all46 = all_match({ | |
processors: [ | |
dup314, | |
dup315, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup317, | |
]), | |
}); | |
var all47 = all_match({ | |
processors: [ | |
dup318, | |
dup319, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup320, | |
]), | |
}); | |
var all48 = all_match({ | |
processors: [ | |
dup321, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup323, | |
]), | |
}); | |
var all49 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup325, | |
]), | |
}); | |
var select23 = linear_select([ | |
all48, | |
all49, | |
]); | |
var all50 = all_match({ | |
processors: [ | |
dup326, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup328, | |
]), | |
}); | |
var all51 = all_match({ | |
processors: [ | |
dup329, | |
dup330, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup331, | |
]), | |
}); | |
var all52 = all_match({ | |
processors: [ | |
dup332, | |
dup333, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup335, | |
]), | |
}); | |
var msg99 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup337, | |
]), | |
}); | |
var msg100 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup339, | |
]), | |
}); | |
var msg101 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup340, | |
]), | |
}); | |
var msg102 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Responder forcing change of %{ike} rekeying duration from %{fld1} to %{fld2} seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup342, | |
]), | |
}); | |
var msg103 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup344, | |
]), | |
}); | |
var msg104 = match({ | |
dissect: { | |
tokenizer: "Invalid destination %{result} destination %{fld1} on %{interface} interface. %{space} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup345, | |
]), | |
}); | |
var msg105 = match({ | |
dissect: { | |
tokenizer: "Invalid destination %{result} on %{interface} interface. %{space} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup346, | |
]), | |
}); | |
var select24 = linear_select([ | |
msg104, | |
msg105, | |
]); | |
var msg106 = match({ | |
dissect: { | |
tokenizer: "No %{fld1} exists to process GTPv0 %{fld2} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, TID: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup347, | |
]), | |
}); | |
var msg107 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} of type %{fld1} (seq number %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup348, | |
]), | |
}); | |
var msg108 = match({ | |
dissect: { | |
tokenizer: "Telnet session limit exceeded.%{space}Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup350, | |
]), | |
}); | |
var msg109 = match({ | |
dissect: { | |
tokenizer: "Failed to download dynamic filter data file from updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup351, | |
]), | |
}); | |
var all53 = all_match({ | |
processors: [ | |
dup99, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup353, | |
]), | |
}); | |
var msg110 = match({ | |
dissect: { | |
tokenizer: "Deleted Master peer, IP %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup354, | |
]), | |
}); | |
var msg111 = match({ | |
dissect: { | |
tokenizer: "User from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface} using %{protocol} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup355, | |
]), | |
}); | |
var msg112 = match({ | |
dissect: { | |
tokenizer: "User from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup356, | |
]), | |
}); | |
var select25 = linear_select([ | |
msg111, | |
msg112, | |
]); | |
var msg113 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup358, | |
]), | |
}); | |
var all54 = all_match({ | |
processors: [ | |
dup359, | |
dup64, | |
dup65, | |
dup360, | |
dup361, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup362, | |
]), | |
}); | |
var all55 = all_match({ | |
processors: [ | |
dup363, | |
dup364, | |
dup365, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup366, | |
]), | |
}); | |
var msg114 = match({ | |
dissect: { | |
tokenizer: "RCMD backconnection failed for %{hostip}/%{network_port}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup367, | |
]), | |
}); | |
var msg115 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup368, | |
]), | |
}); | |
var msg116 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup370, | |
]), | |
}); | |
var all56 = all_match({ | |
processors: [ | |
dup371, | |
dup372, | |
dup373, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup374, | |
]), | |
}); | |
var msg117 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} limit of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup375, | |
]), | |
}); | |
var msg118 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} limit of %{fld2} reached for context %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup376, | |
]), | |
}); | |
var select26 = linear_select([ | |
msg117, | |
msg118, | |
]); | |
var msg119 = match({ | |
dissect: { | |
tokenizer: "Unable to create GTP connection for response from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup377, | |
]), | |
}); | |
var msg120 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup379, | |
]), | |
}); | |
var all57 = all_match({ | |
processors: [ | |
dup380, | |
dup381, | |
dup382, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup383, | |
]), | |
}); | |
var all58 = all_match({ | |
processors: [ | |
dup384, | |
dup385, | |
dup386, | |
dup387, | |
dup388, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup389, | |
]), | |
}); | |
var select27 = linear_select([ | |
all57, | |
all58, | |
]); | |
var msg121 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup390, | |
]), | |
}); | |
var msg122 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup391, | |
]), | |
}); | |
var select28 = linear_select([ | |
msg121, | |
msg122, | |
]); | |
var msg123 = match({ | |
dissect: { | |
tokenizer: "Phase %{fld1} failure: Mismatched attribute types for class %{process}: Rcv'd: %{fld2} Cfg'd: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup392, | |
]), | |
}); | |
var all59 = all_match({ | |
processors: [ | |
dup393, | |
dup394, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup395, | |
]), | |
}); | |
var all60 = all_match({ | |
processors: [ | |
dup396, | |
dup394, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup397, | |
]), | |
}); | |
var select29 = linear_select([ | |
all59, | |
all60, | |
]); | |
var msg124 = match({ | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys} was added on the %{product}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup399, | |
]), | |
}); | |
var all61 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup400, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup401, | |
]), | |
}); | |
var msg125 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup402, | |
]), | |
}); | |
var select30 = linear_select([ | |
all61, | |
msg125, | |
]); | |
var msg126 = match({ | |
dissect: { | |
tokenizer: "CTS SGT-MAP: Binding %{saddr}/%{sport}-\u003e%{fld1}:%{group} from %{fld2} deleted from binding manager.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup403, | |
]), | |
}); | |
var msg127 = match({ | |
dissect: { | |
tokenizer: "Built local-host %{interface}:%{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup404, | |
]), | |
}); | |
var msg128 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup405, | |
]), | |
}); | |
var msg129 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup406, | |
]), | |
}); | |
var msg130 = match({ | |
dissect: { | |
tokenizer: "Tunnel Manager failed to dispatch a %{fld1} message. Probable mis-configuration of the crypto map or tunnel-group. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup407, | |
]), | |
}); | |
var msg131 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup408, | |
]), | |
}); | |
var msg132 = match({ | |
dissect: { | |
tokenizer: "Security context %{info} was added to the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup409, | |
]), | |
}); | |
var msg133 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup410, | |
]), | |
}); | |
var select31 = linear_select([ | |
msg132, | |
msg133, | |
]); | |
var all62 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup411, | |
], | |
on_success: processor_chain([ | |
dup412, | |
dup413, | |
]), | |
}); | |
var all63 = all_match({ | |
processors: [ | |
dup414, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup415, | |
]), | |
}); | |
var all64 = all_match({ | |
processors: [ | |
dup416, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup418, | |
]), | |
}); | |
var select32 = linear_select([ | |
all63, | |
all64, | |
]); | |
var msg134 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate MGCP %{fld1} connection for %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} from %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup419, | |
]), | |
}); | |
var msg135 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup420, | |
]), | |
}); | |
var select33 = linear_select([ | |
msg134, | |
msg135, | |
]); | |
var all65 = all_match({ | |
processors: [ | |
dup421, | |
dup422, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup423, | |
]), | |
}); | |
var msg136 = match({ | |
dissect: { | |
tokenizer: "Denied new tunnel to %{saddr} VPN peer limit (%{fld1}) exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup424, | |
]), | |
}); | |
var all66 = all_match({ | |
processors: [ | |
dup425, | |
dup426, | |
dup427, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup428, | |
]), | |
}); | |
var select34 = linear_select([ | |
msg136, | |
all66, | |
]); | |
var msg137 = match({ | |
dissect: { | |
tokenizer: "AAA Marking %{protocol} server %{hostip} in aaa-server group %{fld1} as FAILED", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup429, | |
]), | |
}); | |
var msg138 = match({ | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid} faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport} duration %{duration} bytes %{bytes} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup431, | |
]), | |
}); | |
var msg139 = match({ | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup432, | |
]), | |
}); | |
var select35 = linear_select([ | |
msg138, | |
msg139, | |
]); | |
var all67 = all_match({ | |
processors: [ | |
dup371, | |
dup433, | |
dup373, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup434, | |
]), | |
}); | |
var msg140 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Xauth required but selected Proposal does not support xauth, %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup435, | |
]), | |
}); | |
var all68 = all_match({ | |
processors: [ | |
dup99, | |
dup436, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup438, | |
]), | |
}); | |
var msg141 = match({ | |
dissect: { | |
tokenizer: "Becoming master of Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup439, | |
]), | |
}); | |
var msg142 = match({ | |
dissect: { | |
tokenizer: "RIP pkt failed from %{saddr}: version=%{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup440, | |
]), | |
}); | |
var all69 = all_match({ | |
processors: [ | |
dup441, | |
dup442, | |
dup443, | |
dup444, | |
dup445, | |
dup446, | |
dup447, | |
dup448, | |
dup449, | |
dup450, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup451, | |
]), | |
}); | |
var all70 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup454, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup455, | |
]), | |
}); | |
var msg143 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received a non-IPSec packet (protocol= %{protocol}) from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup456, | |
]), | |
}); | |
var msg144 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup457, | |
]), | |
}); | |
var msg145 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} of type %{event_description}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup458, | |
]), | |
}); | |
var all71 = all_match({ | |
processors: [ | |
dup459, | |
dup460, | |
dup461, | |
dup462, | |
dup463, | |
], | |
on_success: processor_chain([ | |
dup464, | |
dup465, | |
]), | |
}); | |
var all72 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup467, | |
dup468, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup469, | |
]), | |
}); | |
var all73 = all_match({ | |
processors: [ | |
dup470, | |
dup471, | |
dup472, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup474, | |
]), | |
}); | |
var msg146 = match({ | |
dissect: { | |
tokenizer: "Parsing downloaded ACL: ERROR: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup475, | |
dup476, | |
]), | |
}); | |
var select36 = linear_select([ | |
all73, | |
msg146, | |
]); | |
var msg147 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup477, | |
]), | |
}); | |
var all74 = all_match({ | |
processors: [ | |
dup478, | |
dup479, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup480, | |
]), | |
}); | |
var msg148 = match({ | |
dissect: { | |
tokenizer: "Name lookup failed for hostname %{hostname} during PKI operation.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup481, | |
]), | |
}); | |
var msg149 = match({ | |
dissect: { | |
tokenizer: "Received KEEPALIVE request from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup482, | |
]), | |
}); | |
var msg150 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Tunnel terminated: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup484, | |
]), | |
}); | |
var msg151 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} SA UP. Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup485, | |
]), | |
}); | |
var msg152 = match({ | |
dissect: { | |
tokenizer: "IKE Receiver: Error reading from socket.%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup487, | |
]), | |
}); | |
var msg153 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: external LSA %{hostip} %{fld}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup488, | |
]), | |
}); | |
var msg154 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup490, | |
]), | |
}); | |
var msg155 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup491, | |
]), | |
}); | |
var msg156 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Keep-alives configured %{fld1} but peer does not support keep-alives (type = %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup492, | |
]), | |
}); | |
var msg157 = match({ | |
dissect: { | |
tokenizer: "Checking CRL from trustpoint: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup493, | |
]), | |
}); | |
var all75 = all_match({ | |
processors: [ | |
dup494, | |
dup495, | |
dup496, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup497, | |
]), | |
}); | |
var all76 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup500, | |
dup501, | |
dup502, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup503, | |
]), | |
}); | |
var msg158 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup504, | |
]), | |
}); | |
var msg159 = match({ | |
dissect: { | |
tokenizer: "%{protocol} request discarded from %{saddr} to %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup505, | |
]), | |
}); | |
var msg160 = match({ | |
dissect: { | |
tokenizer: "FTP %{action} command unsupported - failed strict inspection, %{result} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup506, | |
]), | |
}); | |
var all77 = all_match({ | |
processors: [ | |
dup507, | |
dup508, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup509, | |
]), | |
}); | |
var all78 = all_match({ | |
processors: [ | |
dup510, | |
dup511, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup512, | |
]), | |
}); | |
var all79 = all_match({ | |
processors: [ | |
dup513, | |
dup514, | |
dup515, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup516, | |
]), | |
}); | |
var select37 = linear_select([ | |
all78, | |
all79, | |
]); | |
var msg161 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup517, | |
]), | |
}); | |
var all80 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup520, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup521, | |
]), | |
}); | |
var all81 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup522, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup523, | |
]), | |
}); | |
var select38 = linear_select([ | |
all80, | |
all81, | |
]); | |
var all82 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup13, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup524, | |
]), | |
}); | |
var msg162 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup525, | |
]), | |
}); | |
var all83 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup526, | |
dup527, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup529, | |
]), | |
}); | |
var all84 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup530, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup531, | |
]), | |
}); | |
var msg163 = match({ | |
dissect: { | |
tokenizer: "%{application}: Add IP-User mapping %{saddr} - %{domain}\\%{username} Succeeded - VPN user", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup532, | |
dup533, | |
]), | |
}); | |
var msg164 = match({ | |
dissect: { | |
tokenizer: "%{application}: Add IP-User mapping %{saddr} - %{domain}\\%{username} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup532, | |
dup534, | |
]), | |
}); | |
var select39 = linear_select([ | |
msg163, | |
msg164, | |
]); | |
var all85 = all_match({ | |
processors: [ | |
dup535, | |
dup536, | |
], | |
on_success: processor_chain([ | |
dup537, | |
dup538, | |
]), | |
}); | |
var all86 = all_match({ | |
processors: [ | |
dup539, | |
dup540, | |
dup541, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup542, | |
]), | |
}); | |
var msg165 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup543, | |
]), | |
}); | |
var msg166 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup544, | |
]), | |
}); | |
var msg167 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Mate operational mode %{fld1} is not compatible with my mode %{fld2}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup545, | |
]), | |
}); | |
var msg168 = match({ | |
dissect: { | |
tokenizer: "%{process}: Error freeing address %{saddr}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup546, | |
]), | |
}); | |
var msg169 = match({ | |
dissect: { | |
tokenizer: "Auth from %{saddr}/%{sport} to %{daddr}/%{dport} failed (%{result}) on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup547, | |
]), | |
}); | |
var msg170 = match({ | |
dissect: { | |
tokenizer: "Terminating manager session from %{saddr} on interface %{interface}.%{space}Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup548, | |
]), | |
}); | |
var all87 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup549, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup550, | |
]), | |
}); | |
var msg171 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Monitoring on interface %{interface} waiting", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup551, | |
]), | |
}); | |
var all88 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup552, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup553, | |
]), | |
}); | |
var msg172 = match({ | |
dissect: { | |
tokenizer: "%{process}: Address assignment failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup554, | |
]), | |
}); | |
var msg173 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, Address assignment failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup555, | |
]), | |
}); | |
var select40 = linear_select([ | |
msg172, | |
msg173, | |
]); | |
var all89 = all_match({ | |
processors: [ | |
dup556, | |
dup557, | |
dup558, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup559, | |
]), | |
}); | |
var msg174 = match({ | |
dissect: { | |
tokenizer: "Shared license backup server role change to %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup560, | |
]), | |
}); | |
var msg175 = match({ | |
dissect: { | |
tokenizer: "Unable to create tunnel from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup561, | |
]), | |
}); | |
var all90 = all_match({ | |
processors: [ | |
dup562, | |
dup563, | |
dup564, | |
], | |
on_success: processor_chain([ | |
dup25, | |
dup565, | |
]), | |
}); | |
var msg176 = match({ | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype}, code=%{icmpcode} from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup567, | |
]), | |
}); | |
var msg177 = match({ | |
dissect: { | |
tokenizer: "Java content modified src %{saddr} dest %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup568, | |
]), | |
}); | |
var all91 = all_match({ | |
processors: [ | |
dup569, | |
dup570, | |
dup571, | |
dup572, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup574, | |
]), | |
}); | |
var all92 = all_match({ | |
processors: [ | |
dup575, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup576, | |
]), | |
}); | |
var msg178 = match({ | |
dissect: { | |
tokenizer: "Tunnel Manager dispatching a %{info}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup577, | |
]), | |
}); | |
var all93 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup578, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup580, | |
]), | |
}); | |
var all94 = all_match({ | |
processors: [ | |
dup99, | |
dup581, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup582, | |
]), | |
}); | |
var all95 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup578, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup583, | |
]), | |
}); | |
var select41 = linear_select([ | |
all93, | |
all94, | |
all95, | |
]); | |
var msg179 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup584, | |
]), | |
}); | |
var all96 = all_match({ | |
processors: [ | |
dup585, | |
dup4, | |
dup586, | |
], | |
on_success: processor_chain([ | |
dup587, | |
dup588, | |
]), | |
}); | |
var msg180 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup589, | |
]), | |
}); | |
var msg181 = match({ | |
dissect: { | |
tokenizer: "Teardown translation for global %{hostip} local %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup590, | |
]), | |
}); | |
var msg182 = match({ | |
dissect: { | |
tokenizer: "Teardown translation for %{hostip} %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup591, | |
]), | |
}); | |
var select42 = linear_select([ | |
msg181, | |
msg182, | |
]); | |
var msg183 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup592, | |
]), | |
}); | |
var msg184 = match({ | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype}, from laddr %{saddr} on interface %{interface} to %{daddr}: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup593, | |
]), | |
}); | |
var msg185 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} type=%{icmptype}, from %{saddr} on interface %{interface} to %{daddr}:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup594, | |
]), | |
}); | |
var select43 = linear_select([ | |
msg184, | |
msg185, | |
]); | |
var msg186 = match({ | |
dissect: { | |
tokenizer: "PPTP control daemon socket io %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup595, | |
]), | |
}); | |
var msg187 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup596, | |
]), | |
}); | |
var msg188 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup598, | |
]), | |
}); | |
var msg189 = match({ | |
dissect: { | |
tokenizer: "Kerberos error : Clock skew with server %{hostip} greater than 300 seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup599, | |
]), | |
}); | |
var msg190 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup600, | |
]), | |
}); | |
var msg191 = match({ | |
dissect: { | |
tokenizer: "LU no xlate for %{saddr}/%{sport} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup601, | |
]), | |
}); | |
var all97 = all_match({ | |
processors: [ | |
dup602, | |
dup603, | |
], | |
on_success: processor_chain([ | |
dup604, | |
dup605, | |
]), | |
}); | |
var msg192 = match({ | |
dissect: { | |
tokenizer: "Received HELLO request from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup606, | |
]), | |
}); | |
var msg193 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup607, | |
]), | |
}); | |
var msg194 = match({ | |
dissect: { | |
tokenizer: "Local CA Server event: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup608, | |
]), | |
}); | |
var all98 = all_match({ | |
processors: [ | |
dup609, | |
dup610, | |
dup611, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup612, | |
]), | |
}); | |
var msg195 = match({ | |
dissect: { | |
tokenizer: "Unexpected error in the timer library: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup613, | |
]), | |
}); | |
var all99 = all_match({ | |
processors: [ | |
dup614, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup615, | |
]), | |
}); | |
var msg196 = match({ | |
dissect: { | |
tokenizer: "Deleted secure tunnel to peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup616, | |
]), | |
}); | |
var all100 = all_match({ | |
processors: [ | |
dup617, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup618, | |
]), | |
}); | |
var msg197 = match({ | |
dissect: { | |
tokenizer: "%{process}: Local pool request succeeded for tunnel-group '%{info}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup619, | |
]), | |
}); | |
var msg198 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, Local pool request succeeded for tunnel-group '%{info}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup620, | |
]), | |
}); | |
var select44 = linear_select([ | |
msg197, | |
msg198, | |
]); | |
var all101 = all_match({ | |
processors: [ | |
dup621, | |
dup622, | |
dup623, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup624, | |
]), | |
}); | |
var msg199 = match({ | |
dissect: { | |
tokenizer: "There are %{fld1} users of %{product} during the past %{fld2} hours", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup625, | |
dup626, | |
]), | |
}); | |
var msg200 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup627, | |
]), | |
}); | |
var all102 = all_match({ | |
processors: [ | |
dup628, | |
dup4, | |
dup629, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup630, | |
]), | |
}); | |
var msg201 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup631, | |
]), | |
}); | |
var all103 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup632, | |
dup633, | |
dup634, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup635, | |
]), | |
}); | |
var all104 = all_match({ | |
processors: [ | |
dup636, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup637, | |
]), | |
}); | |
var all105 = all_match({ | |
processors: [ | |
dup638, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup639, | |
]), | |
}); | |
var select45 = linear_select([ | |
all104, | |
all105, | |
]); | |
var msg202 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} state-bypass connection %{connectionid} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup640, | |
]), | |
}); | |
var msg203 = match({ | |
dissect: { | |
tokenizer: "IP detected an attached application using port %{network_port} while removing context", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup641, | |
]), | |
}); | |
var all106 = all_match({ | |
processors: [ | |
dup642, | |
dup643, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup644, | |
]), | |
}); | |
var msg204 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup645, | |
]), | |
}); | |
var msg205 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map = %{fld1}, seq = %{fld2}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup475, | |
dup646, | |
]), | |
}); | |
var msg206 = match({ | |
dissect: { | |
tokenizer: "Call-Home client %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup647, | |
]), | |
}); | |
var all107 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup649, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup650, | |
]), | |
}); | |
var all108 = all_match({ | |
processors: [ | |
dup651, | |
dup652, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup654, | |
]), | |
}); | |
var all109 = all_match({ | |
processors: [ | |
dup651, | |
dup652, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup656, | |
]), | |
}); | |
var select46 = linear_select([ | |
all108, | |
all109, | |
]); | |
var all110 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup657, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup658, | |
]), | |
}); | |
var msg207 = match({ | |
dissect: { | |
tokenizer: "Phone Proxy: Unable to create secure phone entry for %{sinterface}:%{saddr} with MAC address %{smacaddr}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup659, | |
]), | |
}); | |
var msg208 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} rate limit of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup660, | |
]), | |
}); | |
var msg209 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} experienced a control channel communication failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup661, | |
]), | |
}); | |
var msg210 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup662, | |
dup663, | |
]), | |
}); | |
var all111 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup666, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup667, | |
]), | |
}); | |
var msg211 = match({ | |
dissect: { | |
tokenizer: "user-identity: DNS lookup for %{web_domain} failed, reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup668, | |
]), | |
}); | |
var msg212 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup669, | |
]), | |
}); | |
var msg213 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup662, | |
dup670, | |
]), | |
}); | |
var all112 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup400, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup671, | |
]), | |
}); | |
var msg214 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup672, | |
]), | |
}); | |
var select47 = linear_select([ | |
all112, | |
msg214, | |
]); | |
var all113 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup674, | |
]), | |
}); | |
var msg215 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} not responding, ENTERING ALLOW mode", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup675, | |
]), | |
}); | |
var msg216 = match({ | |
dissect: { | |
tokenizer: "%{info} Error: No Key SPI %{fld1} SRC %{saddr} DEST %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup676, | |
]), | |
}); | |
var msg217 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup677, | |
]), | |
}); | |
var msg218 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup678, | |
]), | |
}); | |
var msg219 = match({ | |
dissect: { | |
tokenizer: "%{process}: Freeing AAA address %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup679, | |
]), | |
}); | |
var msg220 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup680, | |
dup681, | |
]), | |
}); | |
var all114 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup682, | |
]), | |
}); | |
var all115 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup683, | |
]), | |
}); | |
var msg221 = match({ | |
dissect: { | |
tokenizer: "UPDATE: ASA image %{fld1} was added to system boot list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup684, | |
]), | |
}); | |
var msg222 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup686, | |
]), | |
}); | |
var all116 = all_match({ | |
processors: [ | |
dup687, | |
dup688, | |
dup689, | |
dup690, | |
dup74, | |
dup691, | |
dup692, | |
dup693, | |
dup694, | |
dup695, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup696, | |
]), | |
}); | |
var msg223 = match({ | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{saddr} (initiator), remote %{daddr}, message-ID %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup697, | |
]), | |
}); | |
var msg224 = match({ | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{daddr} (responder), remote %{saddr}, message-ID %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup698, | |
]), | |
}); | |
var select48 = linear_select([ | |
msg223, | |
msg224, | |
]); | |
var msg225 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup699, | |
]), | |
}); | |
var msg226 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup700, | |
]), | |
}); | |
var select49 = linear_select([ | |
msg225, | |
msg226, | |
]); | |
var msg227 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup701, | |
]), | |
}); | |
var msg228 = match({ | |
dissect: { | |
tokenizer: "%{protocol} access requested from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup702, | |
]), | |
}); | |
var msg229 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup703, | |
]), | |
}); | |
var all117 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup704, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup705, | |
]), | |
}); | |
var msg230 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup706, | |
]), | |
}); | |
var select50 = linear_select([ | |
all117, | |
msg230, | |
]); | |
var msg231 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Received delete for rekeyed centry %{space} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup707, | |
]), | |
}); | |
var msg232 = match({ | |
dissect: { | |
tokenizer: "Created peer %{space}[%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup708, | |
]), | |
}); | |
var msg233 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup709, | |
]), | |
}); | |
var all118 = all_match({ | |
processors: [ | |
dup710, | |
dup711, | |
dup712, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup713, | |
]), | |
}); | |
var all119 = all_match({ | |
processors: [ | |
dup714, | |
dup715, | |
dup716, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup717, | |
]), | |
}); | |
var msg234 = match({ | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Succeeded: Peer: %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup532, | |
dup718, | |
]), | |
}); | |
var msg235 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup719, | |
]), | |
}); | |
var msg236 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} denied %{protocol} %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1} %{fld6}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup720, | |
]), | |
}); | |
var all120 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup723, | |
dup724, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup726, | |
]), | |
}); | |
var all121 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup727, | |
dup728, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup729, | |
]), | |
}); | |
var all122 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup730, | |
dup728, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup731, | |
]), | |
}); | |
var select51 = linear_select([ | |
msg236, | |
all120, | |
all121, | |
all122, | |
]); | |
var msg237 = match({ | |
dissect: { | |
tokenizer: "MAC %{interface} moved from %{src_zone} to %{dst_zone}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup732, | |
]), | |
}); | |
var msg238 = match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1}, application down \"%{application}\", %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup733, | |
]), | |
}); | |
var msg239 = match({ | |
dissect: { | |
tokenizer: "%{result} session from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup734, | |
]), | |
}); | |
var msg240 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{domain}\\%{fld3}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{ddomain}\\%{c_username}) (%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup735, | |
]), | |
}); | |
var all123 = all_match({ | |
processors: [ | |
dup736, | |
dup737, | |
dup738, | |
dup739, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup740, | |
]), | |
}); | |
var all124 = all_match({ | |
processors: [ | |
dup741, | |
dup742, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup743, | |
]), | |
}); | |
var all125 = all_match({ | |
processors: [ | |
dup736, | |
dup744, | |
dup745, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup746, | |
]), | |
}); | |
var all126 = all_match({ | |
processors: [ | |
dup747, | |
dup748, | |
dup749, | |
dup750, | |
dup751, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup752, | |
]), | |
}); | |
var msg241 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup753, | |
]), | |
}); | |
var msg242 = match({ | |
dissect: { | |
tokenizer: "Built outbound %{protocol} connection %{connectionid} for %{dinterface} %{daddr}/%{dport} gaddr %{hostip}/%{network_port} %{sinterface} %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup754, | |
]), | |
}); | |
var all127 = all_match({ | |
processors: [ | |
dup755, | |
dup756, | |
dup757, | |
dup750, | |
dup751, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup758, | |
]), | |
}); | |
var msg243 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{domain}\\%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup759, | |
]), | |
}); | |
var msg244 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{fld}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup760, | |
]), | |
}); | |
var select52 = linear_select([ | |
msg240, | |
all123, | |
all124, | |
all125, | |
all126, | |
msg241, | |
msg242, | |
all127, | |
msg243, | |
msg244, | |
]); | |
var msg245 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup762, | |
]), | |
}); | |
var msg246 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, IP address request attempt failed!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup763, | |
]), | |
}); | |
var msg247 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup764, | |
]), | |
}); | |
var all128 = all_match({ | |
processors: [ | |
dup238, | |
dup765, | |
dup766, | |
], | |
on_success: processor_chain([ | |
dup767, | |
dup768, | |
]), | |
}); | |
var all129 = all_match({ | |
processors: [ | |
dup769, | |
dup770, | |
dup771, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup772, | |
]), | |
}); | |
var msg248 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup773, | |
]), | |
}); | |
var select53 = linear_select([ | |
all129, | |
msg248, | |
]); | |
var msg249 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup774, | |
]), | |
}); | |
var all130 = all_match({ | |
processors: [ | |
dup139, | |
dup775, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup776, | |
]), | |
}); | |
var msg250 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup777, | |
]), | |
}); | |
var all131 = all_match({ | |
processors: [ | |
dup778, | |
dup779, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup780, | |
]), | |
}); | |
var msg251 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Invalid address \u003c\u003c%{daddr}\u003e assigned to SVC connection", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup781, | |
]), | |
}); | |
var msg252 = match({ | |
dissect: { | |
tokenizer: "SMTP replaced %{fld1}: out %{saddr} in %{daddr} data: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup782, | |
]), | |
}); | |
var msg253 = match({ | |
dissect: { | |
tokenizer: "H225 message %{fld} received from %{saddr}/%{sport} to %{daddr}/%{dport} before SETUP", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup783, | |
]), | |
}); | |
var msg254 = match({ | |
dissect: { | |
tokenizer: "IPS requested to reset %{protocol} connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup784, | |
]), | |
}); | |
var all132 = all_match({ | |
processors: [ | |
dup785, | |
dup786, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup787, | |
]), | |
}); | |
var all133 = all_match({ | |
processors: [ | |
dup785, | |
dup786, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup788, | |
]), | |
}); | |
var select54 = linear_select([ | |
all132, | |
all133, | |
]); | |
var all134 = all_match({ | |
processors: [ | |
dup789, | |
dup790, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup791, | |
]), | |
}); | |
var msg255 = match({ | |
dissect: { | |
tokenizer: "Inspected %{im_client} %{info} Session between Client %{im_userid} and %{im_buddyid} Packet flow from %{sinterface}:/%{saddr}/%{sport} to %{dinterface}:/%{daddr}/%{dport} Action: %{action} Matched Class %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup792, | |
]), | |
}); | |
var msg256 = match({ | |
dissect: { | |
tokenizer: "Threat-detection adds host %{hostip} to shun list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup793, | |
]), | |
}); | |
var msg257 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup795, | |
]), | |
}); | |
var all135 = all_match({ | |
processors: [ | |
dup796, | |
dup797, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup798, | |
]), | |
}); | |
var msg258 = match({ | |
dissect: { | |
tokenizer: "%{severity}: Duplex-mismatch on %{service} resulted in transmitter lockup. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup799, | |
]), | |
}); | |
var msg259 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} missing aaa server group info", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup800, | |
]), | |
}); | |
var all136 = all_match({ | |
processors: [ | |
dup801, | |
dup802, | |
dup803, | |
dup804, | |
dup805, | |
dup806, | |
dup807, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup809, | |
]), | |
}); | |
var all137 = all_match({ | |
processors: [ | |
dup801, | |
dup802, | |
dup810, | |
dup811, | |
dup805, | |
dup812, | |
dup807, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup813, | |
]), | |
}); | |
var msg260 = match({ | |
dissect: { | |
tokenizer: "Dropped UDP DNS reply from %{saddr}/%{sport} to %{daddr}/%{dport}; compression pointer length %{bytes} bytes exceeds packet length limit of %{fld2} bytes", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup814, | |
]), | |
}); | |
var all138 = all_match({ | |
processors: [ | |
dup815, | |
dup816, | |
dup817, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup818, | |
]), | |
}); | |
var select55 = linear_select([ | |
all136, | |
all137, | |
msg260, | |
all138, | |
]); | |
var all139 = all_match({ | |
processors: [ | |
dup819, | |
dup820, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup821, | |
]), | |
}); | |
var msg261 = match({ | |
dissect: { | |
tokenizer: "DHCP client interface %{interface}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup822, | |
]), | |
}); | |
var all140 = all_match({ | |
processors: [ | |
dup823, | |
dup824, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup825, | |
]), | |
}); | |
var all141 = all_match({ | |
processors: [ | |
dup823, | |
dup824, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup826, | |
]), | |
}); | |
var select56 = linear_select([ | |
all140, | |
all141, | |
]); | |
var msg262 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (no connection) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup827, | |
]), | |
}); | |
var msg263 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (no connection) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup828, | |
]), | |
}); | |
var select57 = linear_select([ | |
msg262, | |
msg263, | |
]); | |
var all142 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup830, | |
]), | |
}); | |
var msg264 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received unknown transaction mode attribute: %{change_attribute}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup831, | |
]), | |
}); | |
var select58 = linear_select([ | |
all142, | |
msg264, | |
]); | |
var msg265 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Monitoring on interface %{interface} normal", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup832, | |
]), | |
}); | |
var msg266 = match({ | |
dissect: { | |
tokenizer: "Denied HTTP configuration attempt from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup833, | |
]), | |
}); | |
var all143 = all_match({ | |
processors: [ | |
dup834, | |
dup4, | |
dup114, | |
], | |
on_success: processor_chain([ | |
dup835, | |
dup836, | |
]), | |
}); | |
var msg267 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup837, | |
]), | |
}); | |
var msg268 = match({ | |
dissect: { | |
tokenizer: "GTP connection created for response from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup838, | |
]), | |
}); | |
var msg269 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup839, | |
]), | |
}); | |
var msg270 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup840, | |
]), | |
}); | |
var msg271 = match({ | |
dissect: { | |
tokenizer: "SVC Global Compression Disabled%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup841, | |
]), | |
}); | |
var msg272 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup842, | |
]), | |
}); | |
var msg273 = match({ | |
dissect: { | |
tokenizer: "NAT-T keepalive received from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup843, | |
]), | |
}); | |
var msg274 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Processing CONNECTED notify (MsgId %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup844, | |
]), | |
}); | |
var msg275 = match({ | |
dissect: { | |
tokenizer: "Tunnel group search using certificate maps failed for peer certificate: serial number: %{serial_number}, subject name: %{cert_subject} issuer_name: %{dn}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup845, | |
]), | |
}); | |
var msg276 = match({ | |
dissect: { | |
tokenizer: "Terminating TCP-Proxy connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup846, | |
]), | |
}); | |
var all144 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup847, | |
], | |
on_success: processor_chain([ | |
dup848, | |
dup849, | |
]), | |
}); | |
var msg277 = match({ | |
dissect: { | |
tokenizer: "Unable to open %{protocol} trap channel (UDP port %{network_port}) on interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup850, | |
]), | |
}); | |
var msg278 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup851, | |
]), | |
}); | |
var all145 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup852, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup853, | |
]), | |
}); | |
var all146 = all_match({ | |
processors: [ | |
dup854, | |
dup855, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup856, | |
]), | |
}); | |
var msg279 = match({ | |
dissect: { | |
tokenizer: "PIX clear config %{fld1} from %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup857, | |
]), | |
}); | |
var msg280 = match({ | |
dissect: { | |
tokenizer: "LU loading standby end%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup859, | |
]), | |
}); | |
var msg281 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup860, | |
]), | |
}); | |
var msg282 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup862, | |
]), | |
}); | |
var msg283 = match({ | |
dissect: { | |
tokenizer: "Bad %{protocol} hdr length (hdrlen=%{fld1}, pktlen=%{fld2}) from %{saddr}/%{sport} to %{daddr}/%{dport}, flags: %{fld3}, on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup863, | |
]), | |
}); | |
var msg284 = match({ | |
dissect: { | |
tokenizer: "LU look NAT for %{hostip} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup864, | |
]), | |
}); | |
var msg285 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} encountered an error (%{context}) while executing the command %{process}(%{info}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup865, | |
]), | |
}); | |
var all147 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup866, | |
], | |
on_success: processor_chain([ | |
dup867, | |
dup868, | |
]), | |
}); | |
var msg286 = match({ | |
dissect: { | |
tokenizer: "%{process}: %{result}, request succeeded for tunnel-group '%{group}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup869, | |
]), | |
}); | |
var msg287 = match({ | |
dissect: { | |
tokenizer: "No translation group found for %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup870, | |
]), | |
}); | |
var msg288 = match({ | |
dissect: { | |
tokenizer: "No translation group found for icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup871, | |
]), | |
}); | |
var msg289 = match({ | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup872, | |
]), | |
}); | |
var msg290 = match({ | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol} src %{saddr} dst %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup873, | |
]), | |
}); | |
var select59 = linear_select([ | |
msg287, | |
msg288, | |
msg289, | |
msg290, | |
]); | |
var msg291 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Maximum of 10 unanswered HTTP requests exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup874, | |
]), | |
}); | |
var msg292 = match({ | |
dissect: { | |
tokenizer: "Built IP protocol %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} (%{stransaddr}) to %{dinterface}:%{daddr} (%{dtransaddr})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup875, | |
]), | |
}); | |
var all148 = all_match({ | |
processors: [ | |
dup371, | |
dup433, | |
dup876, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup877, | |
]), | |
}); | |
var select60 = linear_select([ | |
msg292, | |
all148, | |
]); | |
var msg293 = match({ | |
dissect: { | |
tokenizer: "SSH session limit exceeded.%{space}Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup878, | |
]), | |
}); | |
var msg294 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, Hardware client security attribute %{change_attribute} was enabled but not requested", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup879, | |
]), | |
}); | |
var all149 = all_match({ | |
processors: [ | |
dup238, | |
dup880, | |
dup881, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup882, | |
]), | |
}); | |
var msg295 = match({ | |
dissect: { | |
tokenizer: "Per-client embryonic connection limit exceeded %{fld1} for input packet from %{saddr}/%{sport} to %{dhost}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup883, | |
]), | |
}); | |
var all150 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup884, | |
], | |
on_success: processor_chain([ | |
dup848, | |
dup885, | |
]), | |
}); | |
var all151 = all_match({ | |
processors: [ | |
dup886, | |
dup887, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup888, | |
]), | |
}); | |
var msg296 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup889, | |
]), | |
}); | |
var select61 = linear_select([ | |
all151, | |
msg296, | |
]); | |
var msg297 = match({ | |
dissect: { | |
tokenizer: "Dropped UDP SNMP packet from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup890, | |
]), | |
}); | |
var msg298 = match({ | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Failed: Peer: %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup892, | |
]), | |
}); | |
var msg299 = match({ | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip} reading from %{device}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup893, | |
]), | |
}); | |
var all152 = all_match({ | |
processors: [ | |
dup894, | |
dup895, | |
dup896, | |
dup897, | |
], | |
on_success: processor_chain([ | |
dup898, | |
dup899, | |
]), | |
}); | |
var all153 = all_match({ | |
processors: [ | |
dup518, | |
dup786, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup900, | |
]), | |
}); | |
var all154 = all_match({ | |
processors: [ | |
dup518, | |
dup786, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup901, | |
]), | |
}); | |
var select62 = linear_select([ | |
all153, | |
all154, | |
]); | |
var msg300 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action}. %{space} Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup902, | |
]), | |
}); | |
var msg301 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup903, | |
]), | |
}); | |
var msg302 = match({ | |
dissect: { | |
tokenizer: "%{protocol} packet type %{fld1} denied by %{direction} list %{fld2} src %{saddr} dest %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup904, | |
]), | |
}); | |
var msg303 = match({ | |
dissect: { | |
tokenizer: "Teardown IP protocol %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup905, | |
]), | |
}); | |
var msg304 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} forwarded bytes %{bytes} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup906, | |
]), | |
}); | |
var select63 = linear_select([ | |
msg303, | |
msg304, | |
]); | |
var msg305 = match({ | |
dissect: { | |
tokenizer: "Web Cache %{saddr}/%{shost} acquired", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup907, | |
]), | |
}); | |
var msg306 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}(cause: %{result}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup908, | |
]), | |
}); | |
var msg307 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} - %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup909, | |
]), | |
}); | |
var select64 = linear_select([ | |
msg306, | |
msg307, | |
]); | |
var all155 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup910, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup911, | |
]), | |
}); | |
var msg308 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup912, | |
]), | |
}); | |
var all156 = all_match({ | |
processors: [ | |
dup913, | |
dup914, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup915, | |
]), | |
}); | |
var msg309 = match({ | |
dissect: { | |
tokenizer: "SSL server %{interface}:%{hostip}/%{network_port} requesting our device certificate for authentication.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup916, | |
]), | |
}); | |
var select65 = linear_select([ | |
all156, | |
msg309, | |
]); | |
var msg310 = match({ | |
dissect: { | |
tokenizer: "%{group_object}'", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all157 = all_match({ | |
processors: [ | |
dup917, | |
msg310, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup918, | |
]), | |
}); | |
var msg311 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport}(%{fld51}) to %{dinterface}(%{fld52}):%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup919, | |
]), | |
}); | |
var msg312 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all158 = all_match({ | |
processors: [ | |
dup920, | |
dup921, | |
msg312, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup922, | |
]), | |
}); | |
var msg313 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all159 = all_match({ | |
processors: [ | |
dup923, | |
dup924, | |
msg313, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup925, | |
]), | |
}); | |
var select66 = linear_select([ | |
msg311, | |
all158, | |
all159, | |
]); | |
var all160 = all_match({ | |
processors: [ | |
dup926, | |
dup927, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup928, | |
]), | |
}); | |
var all161 = all_match({ | |
processors: [ | |
dup929, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup931, | |
]), | |
}); | |
var msg314 = match({ | |
dissect: { | |
tokenizer: "Built %{protocol} state-bypass connection %{connectionid} from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup932, | |
]), | |
}); | |
var msg315 = match({ | |
dissect: { | |
tokenizer: "Deny MAC address %{daddr}, possible spoof attempt on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup933, | |
]), | |
}); | |
var msg316 = match({ | |
dissect: { | |
tokenizer: "Rec'd packet not an IPSEC packet %{space} (ip) dest_addr= %{daddr}, src_addr= %{saddr}, prot= %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup934, | |
]), | |
}); | |
var msg317 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup935, | |
]), | |
}); | |
var msg318 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} timed out URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup936, | |
]), | |
}); | |
var msg319 = match({ | |
dissect: { | |
tokenizer: "Built %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport}(%{fld51}) to %{dinterface}(%{fld52}):%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup937, | |
]), | |
}); | |
var all162 = all_match({ | |
processors: [ | |
dup938, | |
dup921, | |
dup939, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup940, | |
]), | |
}); | |
var msg320 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all163 = all_match({ | |
processors: [ | |
dup941, | |
dup924, | |
msg320, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup942, | |
]), | |
}); | |
var select67 = linear_select([ | |
msg319, | |
all162, | |
all163, | |
]); | |
var msg321 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description} payload: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup943, | |
]), | |
}); | |
var all164 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup944, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup945, | |
]), | |
}); | |
var msg322 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup946, | |
]), | |
}); | |
var all165 = all_match({ | |
processors: [ | |
dup947, | |
dup948, | |
dup949, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup950, | |
]), | |
}); | |
var all166 = all_match({ | |
processors: [ | |
dup947, | |
dup948, | |
dup951, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup952, | |
]), | |
}); | |
var select68 = linear_select([ | |
all165, | |
all166, | |
]); | |
var msg323 = match({ | |
dissect: { | |
tokenizer: "%{process}: Unable to send %{hostip} to standby: address in use", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup953, | |
]), | |
}); | |
var all167 = all_match({ | |
processors: [ | |
dup954, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup955, | |
dup956, | |
]), | |
}); | |
var msg324 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{hostip}\u003e %{event_description}. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup957, | |
]), | |
}); | |
var msg325 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received an un-encrypted AUTH_FAILED notify message, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup958, | |
]), | |
}); | |
var msg326 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received encrypted packet with no matching SA, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup959, | |
]), | |
}); | |
var msg327 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received an un-encrypted %{obj_type} notify message, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup960, | |
]), | |
}); | |
var msg328 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, No crypto map bound to interface... %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup961, | |
]), | |
}); | |
var msg329 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup962, | |
]), | |
}); | |
var msg330 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all168 = all_match({ | |
processors: [ | |
dup963, | |
msg330, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup964, | |
]), | |
}); | |
var select69 = linear_select([ | |
msg325, | |
msg326, | |
msg327, | |
msg328, | |
msg329, | |
all168, | |
]); | |
var msg331 = match({ | |
dissect: { | |
tokenizer: "Stop VPN Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup965, | |
]), | |
}); | |
var msg332 = match({ | |
dissect: { | |
tokenizer: "%{application}: Delete IP-User mapping %{saddr} - %{domain}\\%{username} Succeeded - %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup966, | |
dup967, | |
]), | |
}); | |
var msg333 = match({ | |
dissect: { | |
tokenizer: "%{application}: Delete IP-User mapping %{saddr} - %{domain}\\%{username} Failed - VPN user logout", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup966, | |
dup968, | |
]), | |
}); | |
var select70 = linear_select([ | |
msg332, | |
msg333, | |
]); | |
var msg334 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration} bytes %{bytes} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup969, | |
]), | |
}); | |
var msg335 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet %{space} (%{result}) from %{saddr} to %{daddr} with an invalid SPI", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup970, | |
]), | |
}); | |
var msg336 = match({ | |
dissect: { | |
tokenizer: "Shared license added client id %{hostid}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup971, | |
]), | |
}); | |
var msg337 = match({ | |
dissect: { | |
tokenizer: "Shared license expired client id %{hostid}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup972, | |
]), | |
}); | |
var select71 = linear_select([ | |
msg336, | |
msg337, | |
]); | |
var all169 = all_match({ | |
processors: [ | |
dup31, | |
dup973, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup974, | |
]), | |
}); | |
var all170 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup975, | |
]), | |
}); | |
var msg338 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) Sending %{info} to standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup976, | |
]), | |
}); | |
var msg339 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup977, | |
]), | |
}); | |
var msg340 = match({ | |
dissect: { | |
tokenizer: "lsid %{fld1} adv %{fld2} type %{fld3} gateway %{fld4} metric %{fld5} network %{fld6} mask %{fld7} protocol %{protocol} attr %{fld8} net-metric %{fld9}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup978, | |
]), | |
}); | |
var all171 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup979, | |
]), | |
}); | |
var all172 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup980, | |
]), | |
}); | |
var select72 = linear_select([ | |
all171, | |
all172, | |
]); | |
var msg341 = match({ | |
dissect: { | |
tokenizer: "Becoming slave of Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup981, | |
]), | |
}); | |
var msg342 = match({ | |
dissect: { | |
tokenizer: "%{process}: Unable to assign AAA provided IP address (%{hostip}) to Client. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup982, | |
]), | |
}); | |
var msg343 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map Check by-passed: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup475, | |
dup983, | |
]), | |
}); | |
var msg344 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} login session from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup984, | |
]), | |
}); | |
var msg345 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} login session from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup985, | |
]), | |
}); | |
var select73 = linear_select([ | |
msg344, | |
msg345, | |
]); | |
var all173 = all_match({ | |
processors: [ | |
dup238, | |
dup986, | |
dup987, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup988, | |
]), | |
}); | |
var msg346 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} Received a IKE_INIT_SA request", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup989, | |
]), | |
}); | |
var msg347 = match({ | |
dissect: { | |
tokenizer: "%{protocol} request discarded from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup990, | |
]), | |
}); | |
var msg348 = match({ | |
dissect: { | |
tokenizer: "Looking for a tunnel group match based on certificate maps for peer certificate with serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup991, | |
]), | |
}); | |
var all174 = all_match({ | |
processors: [ | |
dup992, | |
dup381, | |
dup993, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup994, | |
]), | |
}); | |
var msg349 = match({ | |
dissect: { | |
tokenizer: "Too many embryonic connections on STRING %{hostip} %{fld1}/%{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup995, | |
]), | |
}); | |
var select74 = linear_select([ | |
all174, | |
msg349, | |
]); | |
var msg350 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Peer-to-Peer detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup996, | |
]), | |
}); | |
var all175 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup997, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup998, | |
]), | |
}); | |
var msg351 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} (cause: %{result}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup999, | |
]), | |
}); | |
var msg352 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1000, | |
]), | |
}); | |
var select75 = linear_select([ | |
msg351, | |
msg352, | |
]); | |
var msg353 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1001, | |
]), | |
}); | |
var all176 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1002, | |
]), | |
}); | |
var msg354 = match({ | |
dissect: { | |
tokenizer: "Built inbound TCP connection %{fld1} for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1003, | |
]), | |
}); | |
var msg355 = match({ | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1} for faddr %{daddr}/%{dport} gaddr %{hostip}/%{network_port} laddr %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1004, | |
]), | |
}); | |
var msg356 = match({ | |
dissect: { | |
tokenizer: "Built TCP connection %{fld1} for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1005, | |
]), | |
}); | |
var msg357 = match({ | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1} for %{dinterface}:%{daddr}/%{dport} (%{hostip}) to %{sinterface}:%{saddr}/%{sport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1006, | |
]), | |
}); | |
var msg358 = match({ | |
dissect: { | |
tokenizer: "Built %{direction} TCP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1007, | |
]), | |
}); | |
var select76 = linear_select([ | |
msg354, | |
msg355, | |
msg356, | |
msg357, | |
msg358, | |
]); | |
var msg359 = match({ | |
dissect: { | |
tokenizer: "Shared license service is active. %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1008, | |
]), | |
}); | |
var msg360 = match({ | |
dissect: { | |
tokenizer: "%{protocol} data connection failed for %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1009, | |
]), | |
}); | |
var msg361 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1010, | |
]), | |
}); | |
var msg362 = match({ | |
dissect: { | |
tokenizer: "%{application} response received.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1011, | |
]), | |
}); | |
var msg363 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1012, | |
]), | |
}); | |
var msg364 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1013, | |
]), | |
}); | |
var msg365 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1014, | |
]), | |
}); | |
var msg366 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1015, | |
]), | |
}); | |
var select77 = linear_select([ | |
msg363, | |
msg364, | |
msg365, | |
msg366, | |
]); | |
var msg367 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1016, | |
]), | |
}); | |
var msg368 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with no split %{space} tunneling: NAT addr: %{stransaddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1017, | |
]), | |
}); | |
var all177 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1018, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1020, | |
]), | |
}); | |
var msg369 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}. %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1021, | |
]), | |
}); | |
var select78 = linear_select([ | |
all177, | |
msg369, | |
]); | |
var msg370 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1022, | |
]), | |
}); | |
var msg371 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1023, | |
]), | |
}); | |
var msg372 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1024, | |
]), | |
}); | |
var all178 = all_match({ | |
processors: [ | |
dup1025, | |
dup1026, | |
dup939, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1027, | |
]), | |
}); | |
var msg373 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: %{protocol} from %{sinterface} %{saddr} (%{sport}) to %{dinterface} %{daddr} (%{dport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1028, | |
]), | |
}); | |
var select79 = linear_select([ | |
msg371, | |
msg372, | |
all178, | |
msg373, | |
]); | |
var all179 = all_match({ | |
processors: [ | |
dup1029, | |
dup1030, | |
dup1031, | |
dup1032, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1033, | |
]), | |
}); | |
var msg374 = match({ | |
dissect: { | |
tokenizer: "%{rule_group}\"", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all180 = all_match({ | |
processors: [ | |
dup1034, | |
dup1035, | |
dup1036, | |
dup1037, | |
msg374, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1038, | |
]), | |
}); | |
var all181 = all_match({ | |
processors: [ | |
dup1039, | |
dup1040, | |
dup1041, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1042, | |
]), | |
}); | |
var all182 = all_match({ | |
processors: [ | |
dup1043, | |
dup1044, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1045, | |
]), | |
}); | |
var select80 = linear_select([ | |
all179, | |
all180, | |
all181, | |
all182, | |
]); | |
var msg375 = match({ | |
dissect: { | |
tokenizer: "Unable to find translation for SRC=%{saddr} DEST=%{daddr} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1046, | |
]), | |
}); | |
var msg376 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1047, | |
]), | |
}); | |
var msg377 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Instant Messenger detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1048, | |
]), | |
}); | |
var msg378 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit exceeded %{sinterface}/%{dinterface} for %{saddr}/%{sport} to (%{hostip}) %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1049, | |
]), | |
}); | |
var msg379 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1050, | |
]), | |
}); | |
var msg380 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1051, | |
]), | |
}); | |
var all183 = all_match({ | |
processors: [ | |
dup1052, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1053, | |
]), | |
}); | |
var all184 = all_match({ | |
processors: [ | |
dup1054, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1055, | |
]), | |
}); | |
var all185 = all_match({ | |
processors: [ | |
dup1056, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1057, | |
]), | |
}); | |
var select81 = linear_select([ | |
all183, | |
all184, | |
all185, | |
]); | |
var msg381 = match({ | |
dissect: { | |
tokenizer: "Out of SMTP connections! %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1058, | |
]), | |
}); | |
var msg382 = match({ | |
dissect: { | |
tokenizer: "%{network_service}: Received ESMTP Request from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup1059, | |
]), | |
}); | |
var select82 = linear_select([ | |
msg381, | |
msg382, | |
]); | |
var msg383 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, De-queuing KEY-ACQUIRE messages that were left pending", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1060, | |
]), | |
}); | |
var msg384 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1062, | |
]), | |
}); | |
var msg385 = match({ | |
dissect: { | |
tokenizer: "Built conduit from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} IP version %{fld1} protocol %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1063, | |
]), | |
}); | |
var all186 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1064, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup1065, | |
]), | |
}); | |
var all187 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1066, | |
], | |
on_success: processor_chain([ | |
dup1067, | |
dup1068, | |
]), | |
}); | |
var msg386 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1069, | |
]), | |
}); | |
var msg387 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{hostip}\u003e %{result}. ACL parse error", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1070, | |
]), | |
}); | |
var all188 = all_match({ | |
processors: [ | |
dup664, | |
dup1071, | |
dup1072, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1073, | |
]), | |
}); | |
var msg388 = match({ | |
dissect: { | |
tokenizer: "IKE got SPI from key engine: SPI = %{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1074, | |
]), | |
}); | |
var select83 = linear_select([ | |
all188, | |
msg388, | |
]); | |
var msg389 = match({ | |
dissect: { | |
tokenizer: "Send TOPOLOGY indicator failure to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1075, | |
]), | |
}); | |
var msg390 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1076, | |
]), | |
}); | |
var msg391 = match({ | |
dissect: { | |
tokenizer: "Unable to open %{protocol} channel (UDP port %{network_port}) on interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1077, | |
]), | |
}); | |
var msg392 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1078, | |
]), | |
}); | |
var all189 = all_match({ | |
processors: [ | |
dup1079, | |
dup1080, | |
dup1081, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1082, | |
]), | |
}); | |
var msg393 = match({ | |
dissect: { | |
tokenizer: "Auto Update failed to contact:%{url}, reason:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1083, | |
]), | |
}); | |
var msg394 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Received delete for rekeyed SA %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup1084, | |
]), | |
}); | |
var all190 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1085, | |
]), | |
}); | |
var msg395 = match({ | |
dissect: { | |
tokenizer: "uauth_pickapp: Uauth Unproxy Failed due to the reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1086, | |
]), | |
}); | |
var msg396 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1087, | |
]), | |
}); | |
var msg397 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1088, | |
]), | |
}); | |
var msg398 = match({ | |
dissect: { | |
tokenizer: "VPNClient: DHCP Policy installed:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1089, | |
]), | |
}); | |
var msg399 = match({ | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp response received from host %{smacaddr} on interface %{interface}.%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1090, | |
]), | |
}); | |
var msg400 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1091, | |
]), | |
}); | |
var all191 = all_match({ | |
processors: [ | |
dup1092, | |
dup1093, | |
dup1094, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup1095, | |
]), | |
}); | |
var msg401 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1096, | |
]), | |
}); | |
var msg402 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1097, | |
]), | |
}); | |
var select84 = linear_select([ | |
msg401, | |
msg402, | |
]); | |
var msg403 = match({ | |
dissect: { | |
tokenizer: "NAC is disabled for host - %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1098, | |
]), | |
}); | |
var msg404 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1099, | |
]), | |
}); | |
var msg405 = match({ | |
dissect: { | |
tokenizer: "AAA Marking %{protocol} server %{hostip} in aaa-server group %{fld1} as ACTIVE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1100, | |
]), | |
}); | |
var all192 = all_match({ | |
processors: [ | |
dup1101, | |
dup1102, | |
dup1103, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1104, | |
]), | |
}); | |
var msg406 = match({ | |
dissect: { | |
tokenizer: "No interface is configured (with %{interface}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1105, | |
]), | |
}); | |
var msg407 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1106, | |
]), | |
}); | |
var select85 = linear_select([ | |
all192, | |
msg406, | |
msg407, | |
]); | |
var all193 = all_match({ | |
processors: [ | |
dup518, | |
dup1107, | |
dup1108, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1109, | |
]), | |
}); | |
var all194 = all_match({ | |
processors: [ | |
dup518, | |
dup1107, | |
dup1110, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1111, | |
]), | |
}); | |
var select86 = linear_select([ | |
all193, | |
all194, | |
]); | |
var msg408 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{hostip}\u003e Error adding dynamic ACL for user", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1112, | |
]), | |
}); | |
var all195 = all_match({ | |
processors: [ | |
dup1113, | |
dup1114, | |
dup1115, | |
], | |
on_success: processor_chain([ | |
dup1116, | |
dup1117, | |
]), | |
}); | |
var msg409 = match({ | |
dissect: { | |
tokenizer: "Built H245 connection for faddr %{saddr} laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1118, | |
]), | |
}); | |
var msg410 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1119, | |
]), | |
}); | |
var msg411 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} is not able to reload, reload request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1120, | |
]), | |
}); | |
var msg412 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} timed out (%{info})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1121, | |
dup1122, | |
]), | |
}); | |
var msg413 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Split DNS Policy installed: List of domains:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1123, | |
]), | |
}); | |
var msg414 = match({ | |
dissect: { | |
tokenizer: "Created secure tunnel to peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1124, | |
]), | |
}); | |
var all196 = all_match({ | |
processors: [ | |
dup1125, | |
dup4, | |
dup1126, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1127, | |
]), | |
}); | |
var msg415 = match({ | |
dissect: { | |
tokenizer: "%{event_description}: %{interface} %{protocol} src %{saddr}/%{sport} dest %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1128, | |
]), | |
}); | |
var msg416 = match({ | |
dissect: { | |
tokenizer: "Built UDP connection for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1129, | |
]), | |
}); | |
var msg417 = match({ | |
dissect: { | |
tokenizer: "Built outbound UDP connection %{fld1} for %{dinterface}:%{daddr}/%{dport} (%{hostip}) to %{sinterface}:%{saddr}/%{sport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1130, | |
]), | |
}); | |
var msg418 = match({ | |
dissect: { | |
tokenizer: "Built %{direction} UDP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1131, | |
]), | |
}); | |
var select87 = linear_select([ | |
msg416, | |
msg417, | |
msg418, | |
]); | |
var msg419 = match({ | |
dissect: { | |
tokenizer: "%{application}: Update import-user %{domain}\\\\%{group} done", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1132, | |
]), | |
}); | |
var all197 = all_match({ | |
processors: [ | |
dup1133, | |
dup1134, | |
dup1135, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1136, | |
]), | |
}); | |
var all198 = all_match({ | |
processors: [ | |
dup1133, | |
dup1134, | |
dup1137, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1138, | |
]), | |
}); | |
var select88 = linear_select([ | |
all197, | |
all198, | |
]); | |
var msg420 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup1139, | |
]), | |
}); | |
var all199 = all_match({ | |
processors: [ | |
dup1140, | |
dup1141, | |
dup1142, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup1143, | |
]), | |
}); | |
var all200 = all_match({ | |
processors: [ | |
dup1140, | |
dup1141, | |
dup1144, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup1145, | |
]), | |
}); | |
var select89 = linear_select([ | |
all199, | |
all200, | |
]); | |
var msg421 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Internal Error, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1146, | |
]), | |
}); | |
var msg422 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Session terminated: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1147, | |
]), | |
}); | |
var msg423 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup1148, | |
]), | |
}); | |
var msg424 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1149, | |
]), | |
}); | |
var msg425 = match({ | |
dissect: { | |
tokenizer: "Process dead peer[%{peer}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1150, | |
]), | |
}); | |
var msg426 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1151, | |
]), | |
}); | |
var msg427 = match({ | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid} from %{hostip} started %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup1152, | |
]), | |
}); | |
var msg428 = match({ | |
dissect: { | |
tokenizer: "%{service} daemon interface %{interface}: Packet denied from %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1153, | |
]), | |
}); | |
var msg429 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} Received request to rekey an IPsec tunnel; local traffic selector = %{info}; remote traffic selector = %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1154, | |
]), | |
}); | |
var msg430 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} %{fld1} Received request to establish an IPsec tunnel; local traffic selector = %{info}; remote traffic selector = %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1155, | |
]), | |
}); | |
var select90 = linear_select([ | |
msg429, | |
msg430, | |
]); | |
var msg431 = match({ | |
dissect: { | |
tokenizer: "IP packet from %{saddr} to %{daddr}, protocol %{protocol} received from interface \"%{interface}\" %{space} deny by access-group \"%{fld1}\"", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1156, | |
]), | |
}); | |
var msg432 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} is not able to shut down, shut down request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1157, | |
]), | |
}); | |
var msg433 = match({ | |
dissect: { | |
tokenizer: "GTP packet with version %{status} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} is not supported", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1158, | |
]), | |
}); | |
var all201 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1159, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1160, | |
]), | |
}); | |
var all202 = all_match({ | |
processors: [ | |
dup1161, | |
dup1162, | |
dup1163, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1164, | |
]), | |
}); | |
var msg434 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} request pending URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup1165, | |
]), | |
}); | |
var msg435 = match({ | |
dissect: { | |
tokenizer: "Strict FTP inspection matched Class 25: %{info}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1166, | |
]), | |
}); | |
var msg436 = match({ | |
dissect: { | |
tokenizer: "Security context %{info} was removed from the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1167, | |
]), | |
}); | |
var msg437 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1168, | |
]), | |
}); | |
var select91 = linear_select([ | |
msg436, | |
msg437, | |
]); | |
var msg438 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1169, | |
]), | |
}); | |
var msg439 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description} %{fld1}, seq = %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1170, | |
]), | |
}); | |
var msg440 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1171, | |
]), | |
}); | |
var select92 = linear_select([ | |
msg439, | |
msg440, | |
]); | |
var msg441 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup1172, | |
]), | |
}); | |
var msg442 = match({ | |
dissect: { | |
tokenizer: "Received %{result} from unknown neighbor %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1173, | |
]), | |
}); | |
var msg443 = match({ | |
dissect: { | |
tokenizer: "Process %{fld1}, Nbr %{hostip} on %{interface} from %{fld2} to %{fld3}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1174, | |
dup1175, | |
]), | |
}); | |
var msg444 = match({ | |
dissect: { | |
tokenizer: "static %{fld1} %{fld2} %{fld3} %{fld4} overlapped with %{fld5} %{fld6}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1176, | |
]), | |
}); | |
var msg445 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP RFC method illegal - %{listnum} '%{protocol}' from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1177, | |
]), | |
}); | |
var msg446 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP - matched %{fld1} in policy-map %{policyname}, header matched - Resetting connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1178, | |
]), | |
}); | |
var select93 = linear_select([ | |
msg445, | |
msg446, | |
]); | |
var all203 = all_match({ | |
processors: [ | |
dup1179, | |
dup1180, | |
dup1181, | |
], | |
on_success: processor_chain([ | |
dup1182, | |
dup1183, | |
]), | |
}); | |
var all204 = all_match({ | |
processors: [ | |
dup1184, | |
dup1185, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1186, | |
]), | |
}); | |
var msg447 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1187, | |
]), | |
}); | |
var msg448 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1188, | |
]), | |
}); | |
var msg449 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup1189, | |
]), | |
}); | |
var all205 = all_match({ | |
processors: [ | |
dup1190, | |
dup4, | |
dup1191, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1192, | |
]), | |
}); | |
var msg450 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1193, | |
]), | |
}); | |
var msg451 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1194, | |
]), | |
}); | |
var msg452 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup1195, | |
]), | |
}); | |
var all206 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1196, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1197, | |
]), | |
}); | |
var msg453 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1198, | |
]), | |
}); | |
var select94 = linear_select([ | |
all206, | |
msg453, | |
]); | |
var all207 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1199, | |
]), | |
}); | |
var msg454 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1200, | |
]), | |
}); | |
var select95 = linear_select([ | |
all207, | |
msg454, | |
]); | |
var all208 = all_match({ | |
processors: [ | |
dup1201, | |
dup1202, | |
dup1203, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1204, | |
]), | |
}); | |
var all209 = all_match({ | |
processors: [ | |
dup1205, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1206, | |
]), | |
}); | |
var all210 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1207, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1208, | |
]), | |
}); | |
var msg455 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} refCnt [%{fld1}] and tunnelCnt [%{fld2}] -- deleting SA!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1209, | |
]), | |
}); | |
var select96 = linear_select([ | |
all210, | |
msg455, | |
]); | |
var msg456 = match({ | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1}: Failure Detected", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1210, | |
]), | |
}); | |
var msg457 = match({ | |
dissect: { | |
tokenizer: "Local CA Server certificate enrollment related info for user: %{username}. Info: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1211, | |
]), | |
}); | |
var msg458 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} - user: %{username} aaa authentication %{disposition}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1212, | |
]), | |
}); | |
var msg459 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1213, | |
]), | |
}); | |
var all211 = all_match({ | |
processors: [ | |
dup1214, | |
dup1215, | |
dup1216, | |
dup1217, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1218, | |
]), | |
}); | |
var all212 = all_match({ | |
processors: [ | |
dup1219, | |
dup1220, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1221, | |
]), | |
}); | |
var all213 = all_match({ | |
processors: [ | |
dup1222, | |
dup1223, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1224, | |
]), | |
}); | |
var all214 = all_match({ | |
processors: [ | |
dup1225, | |
dup1226, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1227, | |
]), | |
}); | |
var all215 = all_match({ | |
processors: [ | |
dup1228, | |
dup1229, | |
dup1230, | |
dup1231, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1232, | |
]), | |
}); | |
var msg460 = match({ | |
dissect: { | |
tokenizer: "Built ICMP connection for faddr %{saddr} gaddr %{hostip} laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1233, | |
]), | |
}); | |
var select97 = linear_select([ | |
all211, | |
all212, | |
all213, | |
all214, | |
all215, | |
msg460, | |
]); | |
var msg461 = match({ | |
dissect: { | |
tokenizer: "RIP hdr failed from %{saddr}: cmd=%{fld1}, version=%{fld2} domain=%{fld3} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1234, | |
]), | |
}); | |
var msg462 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup1235, | |
]), | |
}); | |
var all216 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup1236, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1237, | |
]), | |
}); | |
var all217 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup1238, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1239, | |
]), | |
}); | |
var select98 = linear_select([ | |
all216, | |
all217, | |
]); | |
var msg463 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1240, | |
]), | |
}); | |
var msg464 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1241, | |
]), | |
}); | |
var msg465 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: Received an ESP packet (SPI = %{dst_spi}, sequence number= %{fld2}) from %{saddr} (user= %{username}) to %{daddr} with incorrect IPsec padding. (padding: %{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1242, | |
]), | |
}); | |
var msg466 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1243, | |
]), | |
}); | |
var msg467 = match({ | |
dissect: { | |
tokenizer: "State machine return code: %{result}, %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1244, | |
]), | |
}); | |
var all218 = all_match({ | |
processors: [ | |
dup1245, | |
dup1246, | |
dup1247, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1248, | |
]), | |
}); | |
var msg468 = match({ | |
dissect: { | |
tokenizer: "%{icmptype} code %{icmpcode}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all219 = all_match({ | |
processors: [ | |
dup1249, | |
dup1246, | |
dup1250, | |
msg468, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1251, | |
]), | |
}); | |
var all220 = all_match({ | |
processors: [ | |
dup1252, | |
dup1246, | |
dup1247, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1253, | |
]), | |
}); | |
var select99 = linear_select([ | |
all218, | |
all219, | |
all220, | |
]); | |
var msg469 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{domain}\\%{fld3}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{fld4}) (%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1254, | |
]), | |
}); | |
var all221 = all_match({ | |
processors: [ | |
dup736, | |
dup737, | |
dup1255, | |
dup1256, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1257, | |
]), | |
}); | |
var all222 = all_match({ | |
processors: [ | |
dup741, | |
dup742, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1258, | |
]), | |
}); | |
var all223 = all_match({ | |
processors: [ | |
dup1259, | |
dup1260, | |
dup757, | |
dup750, | |
dup751, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1261, | |
]), | |
}); | |
var msg470 = match({ | |
dissect: { | |
tokenizer: "Built %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1262, | |
]), | |
}); | |
var select100 = linear_select([ | |
msg469, | |
all221, | |
all222, | |
all223, | |
msg470, | |
]); | |
var all224 = all_match({ | |
processors: [ | |
dup1263, | |
dup1080, | |
dup1264, | |
dup161, | |
dup1265, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1266, | |
]), | |
}); | |
var msg471 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1267, | |
]), | |
}); | |
var all225 = all_match({ | |
processors: [ | |
dup1268, | |
dup1044, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1269, | |
]), | |
}); | |
var msg472 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1270, | |
]), | |
}); | |
var msg473 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1271, | |
]), | |
}); | |
var msg474 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1272, | |
]), | |
}); | |
var select101 = linear_select([ | |
msg472, | |
msg473, | |
msg474, | |
]); | |
var all226 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1273, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1274, | |
]), | |
}); | |
var msg475 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1276, | |
]), | |
}); | |
var msg476 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup1277, | |
]), | |
}); | |
var msg477 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup1278, | |
]), | |
}); | |
var msg478 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1279, | |
]), | |
}); | |
var msg479 = match({ | |
dissect: { | |
tokenizer: "Dropping %{protocol} request from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} because: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1280, | |
]), | |
}); | |
var msg480 = match({ | |
dissect: { | |
tokenizer: "Denied IPv6-ICMP type=%{icmptype}, code=%{icmpcode} from %{saddr} on interface %{interface} (where %{fld3} was an IPv6 source address).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1281, | |
]), | |
}); | |
var msg481 = match({ | |
dissect: { | |
tokenizer: "Denied IPv6-ICMP type=%{icmptype}, code=%{icmpcode} from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1282, | |
]), | |
}); | |
var select102 = linear_select([ | |
msg480, | |
msg481, | |
]); | |
var all227 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1283, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1284, | |
]), | |
}); | |
var msg482 = match({ | |
dissect: { | |
tokenizer: "Could not build portmap translation for %{saddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1285, | |
]), | |
}); | |
var msg483 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1286, | |
]), | |
}); | |
var msg484 = match({ | |
dissect: { | |
tokenizer: "%{protocol} detected an attached application using local port %{sport} and destination port %{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1287, | |
]), | |
}); | |
var msg485 = match({ | |
dissect: { | |
tokenizer: "GTP Tunnel created from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1288, | |
]), | |
}); | |
var msg486 = match({ | |
dissect: { | |
tokenizer: "failed to sync master key for password encryption, reason=%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1289, | |
]), | |
}); | |
var all228 = all_match({ | |
processors: [ | |
dup1290, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1291, | |
]), | |
}); | |
var msg487 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1292, | |
]), | |
}); | |
var msg488 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} encountered an error (%{info})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1121, | |
dup1293, | |
]), | |
}); | |
var msg489 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1294, | |
]), | |
}); | |
var msg490 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1295, | |
]), | |
}); | |
var msg491 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator unable to find policy: Intf %{interface}, Src: %{saddr}, Dst: %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1296, | |
]), | |
}); | |
var msg492 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1297, | |
]), | |
}); | |
var msg493 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1298, | |
]), | |
}); | |
var msg494 = match({ | |
dissect: { | |
tokenizer: "Discard IP fragment set with more than %{fld1} elements: %{space} src = %{saddr}, dest = %{daddr}, proto = %{protocol}, id = %{policy_id}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1299, | |
]), | |
}); | |
var msg495 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1300, | |
]), | |
}); | |
var all229 = all_match({ | |
processors: [ | |
dup1301, | |
dup1302, | |
dup1303, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1304, | |
]), | |
}); | |
var msg496 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with split tunneling: Split Tunnel Networks:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1305, | |
]), | |
}); | |
var msg497 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr},%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup1306, | |
]), | |
}); | |
var msg498 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1307, | |
]), | |
}); | |
var all230 = all_match({ | |
processors: [ | |
dup1308, | |
dup1309, | |
dup1310, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1311, | |
]), | |
}); | |
var all231 = all_match({ | |
processors: [ | |
dup1301, | |
dup1302, | |
dup1303, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1312, | |
]), | |
}); | |
var all232 = all_match({ | |
processors: [ | |
dup321, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1313, | |
]), | |
}); | |
var all233 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1314, | |
]), | |
}); | |
var select103 = linear_select([ | |
all232, | |
all233, | |
]); | |
var msg499 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1315, | |
]), | |
}); | |
var all234 = all_match({ | |
processors: [ | |
dup1316, | |
dup1317, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1318, | |
]), | |
}); | |
var all235 = all_match({ | |
processors: [ | |
dup1319, | |
dup4, | |
dup1320, | |
], | |
on_success: processor_chain([ | |
dup767, | |
dup1321, | |
]), | |
}); | |
var msg500 = match({ | |
dissect: { | |
tokenizer: "user-identity: [FQDN] %{domain} resolved %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1322, | |
dup1323, | |
]), | |
}); | |
var msg501 = match({ | |
dissect: { | |
tokenizer: "Translation for %{saddr} to %{daddr}/%{dport} denied by %{direction} (destination is denied) %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1324, | |
]), | |
}); | |
var msg502 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1325, | |
dup1326, | |
]), | |
}); | |
var all236 = all_match({ | |
processors: [ | |
dup1327, | |
dup1328, | |
dup1329, | |
dup1330, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1331, | |
]), | |
}); | |
var all237 = all_match({ | |
processors: [ | |
dup1327, | |
dup1328, | |
dup1332, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1333, | |
]), | |
}); | |
var select104 = linear_select([ | |
all236, | |
all237, | |
]); | |
var msg503 = match({ | |
dissect: { | |
tokenizer: "Shared %{protocol} license availability: %{info}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1334, | |
]), | |
}); | |
var all238 = all_match({ | |
processors: [ | |
dup1335, | |
dup1336, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1337, | |
]), | |
}); | |
var msg504 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect session resumed connection from IP \u003c\u003c%{hostip}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1338, | |
]), | |
}); | |
var all239 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1339, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1340, | |
]), | |
}); | |
var msg505 = match({ | |
dissect: { | |
tokenizer: "SFR requested to drop %{protocol} packet from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1341, | |
]), | |
}); | |
var msg506 = match({ | |
dissect: { | |
tokenizer: "Manager session limit exceeded. Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1342, | |
]), | |
}); | |
var msg507 = match({ | |
dissect: { | |
tokenizer: "Failed to save logging buffer using file name %{filename} to FTP server %{hostip} on interface %{interface}: [%{result}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1343, | |
]), | |
}); | |
var all240 = all_match({ | |
processors: [ | |
dup1344, | |
dup64, | |
dup1345, | |
dup1346, | |
dup1347, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup1348, | |
]), | |
}); | |
var all241 = all_match({ | |
processors: [ | |
dup1349, | |
dup64, | |
dup65, | |
dup1346, | |
dup1350, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup1351, | |
]), | |
}); | |
var select105 = linear_select([ | |
all240, | |
all241, | |
]); | |
var all242 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1352, | |
dup1353, | |
dup1354, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1355, | |
]), | |
}); | |
var msg508 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1356, | |
]), | |
}); | |
var msg509 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1357, | |
]), | |
}); | |
var msg510 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1358, | |
]), | |
}); | |
var msg511 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1359, | |
]), | |
}); | |
var msg512 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} translation from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1360, | |
]), | |
}); | |
var msg513 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} translation from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1361, | |
]), | |
}); | |
var select106 = linear_select([ | |
msg512, | |
msg513, | |
]); | |
var msg514 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} missing client %{hostip} option", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1362, | |
]), | |
}); | |
var msg515 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1363, | |
]), | |
}); | |
var msg516 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1364, | |
]), | |
}); | |
var msg517 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}: %{duration} seconds.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup1365, | |
]), | |
}); | |
var msg518 = match({ | |
dissect: { | |
tokenizer: "%{direction} thread is awake (context=%{context}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1366, | |
]), | |
}); | |
var msg519 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} forwarded bytes %{bytes} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1367, | |
]), | |
}); | |
var msg520 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} - user: %{username} aaa authentication started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1368, | |
]), | |
}); | |
var all243 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1369, | |
]), | |
}); | |
var all244 = all_match({ | |
processors: [ | |
dup1370, | |
dup1371, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1372, | |
]), | |
}); | |
var msg521 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1373, | |
]), | |
}); | |
var msg522 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1374, | |
]), | |
}); | |
var msg523 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1375, | |
]), | |
}); | |
var msg524 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator sending 3rd QM pkt: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1376, | |
]), | |
}); | |
var select107 = linear_select([ | |
msg523, | |
msg524, | |
]); | |
var msg525 = match({ | |
dissect: { | |
tokenizer: "Router %{hostip_v6} on %{interface} has conflicting ND (Neighbor Discovery) settings", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup1377, | |
]), | |
}); | |
var msg526 = match({ | |
dissect: { | |
tokenizer: "HTTP daemon interface %{interface}: connection denied from %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1378, | |
]), | |
}); | |
var msg527 = match({ | |
dissect: { | |
tokenizer: "SSL lib error. Function: %{info} Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1379, | |
]), | |
}); | |
var all245 = all_match({ | |
processors: [ | |
dup1380, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1381, | |
]), | |
}); | |
var all246 = all_match({ | |
processors: [ | |
dup1382, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1383, | |
]), | |
}); | |
var select108 = linear_select([ | |
all245, | |
all246, | |
]); | |
var msg528 = match({ | |
dissect: { | |
tokenizer: "%{process}: Freeing local pool address %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1384, | |
]), | |
}); | |
var msg529 = match({ | |
dissect: { | |
tokenizer: "%{process}: Session=%{sessionid}, Freeing local pool address %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1385, | |
]), | |
}); | |
var select109 = linear_select([ | |
msg528, | |
msg529, | |
]); | |
var msg530 = match({ | |
dissect: { | |
tokenizer: "TCP flow from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} is skipped because %{application} has failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1386, | |
]), | |
}); | |
var msg531 = match({ | |
dissect: { | |
tokenizer: "%{direction} %{protocol} connection denied from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1387, | |
]), | |
}); | |
var msg532 = match({ | |
dissect: { | |
tokenizer: "%{direction} %{protocol} connection denied from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1388, | |
]), | |
}); | |
var select110 = linear_select([ | |
msg531, | |
msg532, | |
]); | |
var msg533 = match({ | |
dissect: { | |
tokenizer: "Translation for %{hostip} denied by %{direction} (source is denied) %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1389, | |
]), | |
}); | |
var msg534 = match({ | |
dissect: { | |
tokenizer: "Translation for %{hostip} denied by %{direction} %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1390, | |
]), | |
}); | |
var select111 = linear_select([ | |
msg533, | |
msg534, | |
]); | |
var msg535 = match({ | |
dissect: { | |
tokenizer: "Deny IP teardrop fragment (size = %{fld1}, offset = %{fld2}) from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup1391, | |
]), | |
}); | |
var msg536 = match({ | |
dissect: { | |
tokenizer: "Teardown GRE connection %{connectionid} from %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup1392, | |
]), | |
}); | |
var all247 = all_match({ | |
processors: [ | |
dup1393, | |
dup540, | |
dup1394, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup1395, | |
]), | |
}); | |
var msg537 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Disconnecting from head end and uninstalling previously downloaded policy: Head End : %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup1396, | |
]), | |
}); | |
var msg538 = match({ | |
dissect: { | |
tokenizer: "Certificate was successfully validated. %{result} serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1397, | |
dup1398, | |
]), | |
}); | |
var msg539 = match({ | |
dissect: { | |
tokenizer: "Call-Home Module started%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1399, | |
]), | |
}); | |
var all248 = all_match({ | |
processors: [ | |
dup1400, | |
dup1401, | |
dup1402, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1403, | |
]), | |
}); | |
var msg540 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1404, | |
]), | |
}); | |
var all249 = all_match({ | |
processors: [ | |
dup1405, | |
dup1406, | |
dup1407, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1408, | |
]), | |
}); | |
var msg541 = match({ | |
dissect: { | |
tokenizer: "IKEv1 was unsuccessful at setting up a tunnel. Map Tag = %{info}. Map Sequence Number = %{dclass_counter1}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1409, | |
]), | |
}); | |
var msg542 = match({ | |
dissect: { | |
tokenizer: "%{node} was unsuccessful at setting up a tunnel. Map Tag = %{info}. Map Sequence Number = %{dclass_counter1}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1410, | |
]), | |
}); | |
var select112 = linear_select([ | |
msg541, | |
msg542, | |
]); | |
var msg543 = match({ | |
dissect: { | |
tokenizer: "Connection denied src %{saddr} dest %{daddr} due to JAVA Applet on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1411, | |
]), | |
}); | |
var msg544 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1412, | |
]), | |
}); | |
var msg545 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate SIP %{fld1} secondary channel for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1413, | |
]), | |
}); | |
var all250 = all_match({ | |
processors: [ | |
dup664, | |
dup1071, | |
dup1072, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1414, | |
]), | |
}); | |
var msg546 = match({ | |
dissect: { | |
tokenizer: "IKE got a KEY_ADD msg for SA: SPI = %{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1415, | |
dup1416, | |
]), | |
}); | |
var select113 = linear_select([ | |
all250, | |
msg546, | |
]); | |
var msg547 = match({ | |
dissect: { | |
tokenizer: "Device chooses cipher : %{fld1} for the SSL session with client %{interface}:%{hostip}/%{network_port}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1417, | |
]), | |
}); | |
var msg548 = match({ | |
dissect: { | |
tokenizer: "Device chooses cipher %{fld1} for the SSL session with client %{sinterface}:%{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1418, | |
]), | |
}); | |
var select114 = linear_select([ | |
msg547, | |
msg548, | |
]); | |
var msg549 = match({ | |
dissect: { | |
tokenizer: "%{severity}, category: %{result}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all251 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup1419, | |
dup1420, | |
msg549, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1421, | |
]), | |
}); | |
var all252 = all_match({ | |
processors: [ | |
dup1422, | |
dup1423, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1424, | |
]), | |
}); | |
var all253 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup1425, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1426, | |
]), | |
}); | |
var msg550 = match({ | |
dissect: { | |
tokenizer: "Translation built for gaddr %{hostip} to laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1427, | |
]), | |
}); | |
var msg551 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} reverse path check from %{saddr} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1428, | |
]), | |
}); | |
var msg552 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1429, | |
]), | |
}); | |
var msg553 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1430, | |
]), | |
}); | |
var all254 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1431, | |
], | |
on_success: processor_chain([ | |
dup1432, | |
dup1433, | |
]), | |
}); | |
var msg554 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup1434, | |
]), | |
}); | |
var all255 = all_match({ | |
processors: [ | |
dup1435, | |
dup4, | |
dup1436, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1437, | |
]), | |
}); | |
var msg555 = match({ | |
dissect: { | |
tokenizer: "Phone Proxy SRTP: Media session not found for %{hostip}/%{network_port} for packet from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1438, | |
]), | |
}); | |
var msg556 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1439, | |
]), | |
}); | |
var msg557 = match({ | |
dissect: { | |
tokenizer: "IPFRAG: First Frag have not been seen %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup1440, | |
]), | |
}); | |
var msg558 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} requires mschap for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1441, | |
]), | |
}); | |
var msg559 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{action} [%{fld1}]", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all256 = all_match({ | |
processors: [ | |
dup1442, | |
msg559, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1443, | |
]), | |
}); | |
var msg560 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received %{protocol} Aggressive Mode message %{fld1} with unknown tunnel group name '%{group}'.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1444, | |
]), | |
}); | |
var msg561 = match({ | |
dissect: { | |
tokenizer: "Could not build translation for %{saddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1445, | |
]), | |
}); | |
var msg562 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Transfer encoding violation detected - %{listnum} %{protocol} Transfer encoding not allowed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1446, | |
]), | |
}); | |
var all257 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup1447, | |
dup501, | |
dup1448, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1449, | |
]), | |
}); | |
var msg563 = match({ | |
dissect: { | |
tokenizer: "[%{obj_name}] %{action}. %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1450, | |
]), | |
}); | |
var all258 = all_match({ | |
processors: [ | |
dup1451, | |
dup1452, | |
dup1453, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1454, | |
]), | |
}); | |
var all259 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1455, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1456, | |
]), | |
}); | |
var msg564 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Remote Peer configured for crypto map: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1457, | |
]), | |
}); | |
var select115 = linear_select([ | |
all259, | |
msg564, | |
]); | |
var msg565 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1458, | |
]), | |
}); | |
var msg566 = match({ | |
dissect: { | |
tokenizer: "%{action} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} with different initial sequence number", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1459, | |
]), | |
}); | |
var msg567 = match({ | |
dissect: { | |
tokenizer: "Cleared TCP urgent flag from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1460, | |
]), | |
}); | |
var msg568 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1461, | |
]), | |
}); | |
var all260 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1462, | |
]), | |
}); | |
var msg569 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1463, | |
]), | |
}); | |
var msg570 = match({ | |
dissect: { | |
tokenizer: "SSL client %{interface}:%{hostip}/%{network_port} proposes the following %{fld1} cipher(s).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1464, | |
]), | |
}); | |
var msg571 = match({ | |
dissect: { | |
tokenizer: "SSL client %{sinterface}:%{saddr}/%{sport} to %{daddr}/%{dport} proposes the following %{fld1} cipher(s)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1465, | |
]), | |
}); | |
var select116 = linear_select([ | |
msg570, | |
msg571, | |
]); | |
var msg572 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1466, | |
]), | |
}); | |
var msg573 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1467, | |
]), | |
}); | |
var msg574 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1468, | |
]), | |
}); | |
var msg575 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1469, | |
]), | |
}); | |
var select117 = linear_select([ | |
msg572, | |
msg573, | |
msg574, | |
msg575, | |
]); | |
var msg576 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1470, | |
]), | |
}); | |
var all261 = all_match({ | |
processors: [ | |
dup1471, | |
dup1472, | |
dup1473, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1474, | |
]), | |
}); | |
var all262 = all_match({ | |
processors: [ | |
dup1471, | |
dup1472, | |
dup1475, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1476, | |
]), | |
}); | |
var select118 = linear_select([ | |
all261, | |
all262, | |
]); | |
var msg577 = match({ | |
dissect: { | |
tokenizer: "Identified client certificate within certificate chain. serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1477, | |
]), | |
}); | |
var all263 = all_match({ | |
processors: [ | |
dup1478, | |
dup1479, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1480, | |
]), | |
}); | |
var all264 = all_match({ | |
processors: [ | |
dup238, | |
dup1481, | |
dup1482, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1483, | |
]), | |
}); | |
var all265 = all_match({ | |
processors: [ | |
dup1484, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1485, | |
]), | |
}); | |
var msg578 = match({ | |
dissect: { | |
tokenizer: "Acknowledge for arp update for IP address %{daddr} not received (%{count}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1486, | |
]), | |
}); | |
var msg579 = match({ | |
dissect: { | |
tokenizer: "The subject name of the peer cert is not allowed for connection%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1487, | |
]), | |
}); | |
var select119 = linear_select([ | |
msg578, | |
msg579, | |
]); | |
var msg580 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1488, | |
]), | |
}); | |
var all266 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup866, | |
], | |
on_success: processor_chain([ | |
dup867, | |
dup1489, | |
]), | |
}); | |
var msg581 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} %{action} %{protocol} for user '%{username}' %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1490, | |
]), | |
}); | |
var msg582 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} %{protocol} %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1491, | |
]), | |
}); | |
var select120 = linear_select([ | |
msg581, | |
msg582, | |
]); | |
var msg583 = match({ | |
dissect: { | |
tokenizer: "System CPU utilization reached %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1493, | |
]), | |
}); | |
var all267 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup1494, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1495, | |
]), | |
}); | |
var msg584 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1496, | |
]), | |
}); | |
var msg585 = match({ | |
dissect: { | |
tokenizer: "%{saddr} attempted to ping %{daddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1497, | |
]), | |
}); | |
var msg586 = match({ | |
dissect: { | |
tokenizer: "RIP auth failed from %{saddr}: version=%{fld1}, type=%{fld2}, mode=%{fld3}, sequence=%{fld4} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1498, | |
]), | |
}); | |
var select121 = linear_select([ | |
msg585, | |
msg586, | |
]); | |
var all268 = all_match({ | |
processors: [ | |
dup1499, | |
dup1500, | |
dup1501, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup1502, | |
]), | |
}); | |
var msg587 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1503, | |
]), | |
}); | |
var msg588 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1504, | |
]), | |
}); | |
var msg589 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} log level of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1505, | |
]), | |
}); | |
var all269 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1506, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1507, | |
]), | |
}); | |
var msg590 = match({ | |
dissect: { | |
tokenizer: "Module in slot%{fld1}is not able to shut down. %{space} Module Error: %{fld2} %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1508, | |
]), | |
}); | |
var all270 = all_match({ | |
processors: [ | |
dup1509, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup1510, | |
]), | |
}); | |
var all271 = all_match({ | |
processors: [ | |
dup1511, | |
dup1512, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup1513, | |
]), | |
}); | |
var select122 = linear_select([ | |
all270, | |
all271, | |
]); | |
var msg591 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1514, | |
]), | |
}); | |
var all272 = all_match({ | |
processors: [ | |
dup1515, | |
dup1516, | |
dup1517, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1518, | |
]), | |
}); | |
var all273 = all_match({ | |
processors: [ | |
dup1515, | |
dup1516, | |
dup1519, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1520, | |
]), | |
}); | |
var select123 = linear_select([ | |
all272, | |
all273, | |
]); | |
var all274 = all_match({ | |
processors: [ | |
dup1521, | |
dup1522, | |
dup1523, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1524, | |
]), | |
}); | |
var msg592 = match({ | |
dissect: { | |
tokenizer: "Failed to save logging buffer to flash:/syslog directory using filename: %{filename}: [%{result}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1525, | |
]), | |
}); | |
var msg593 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Extension method illegal - %{listnum} '%{protocol}' from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1526, | |
]), | |
}); | |
var all275 = all_match({ | |
processors: [ | |
dup1527, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1528, | |
]), | |
}); | |
var all276 = all_match({ | |
processors: [ | |
dup1529, | |
dup1530, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1531, | |
]), | |
}); | |
var select124 = linear_select([ | |
all275, | |
all276, | |
]); | |
var msg594 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1532, | |
]), | |
}); | |
var msg595 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1533, | |
]), | |
}); | |
var all277 = all_match({ | |
processors: [ | |
dup1534, | |
dup1535, | |
dup1536, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1537, | |
]), | |
}); | |
var msg596 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1538, | |
]), | |
}); | |
var all278 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1539, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup1541, | |
]), | |
}); | |
var msg597 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup680, | |
dup1542, | |
]), | |
}); | |
var all279 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup666, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1543, | |
]), | |
}); | |
var all280 = all_match({ | |
processors: [ | |
dup1544, | |
dup64, | |
dup65, | |
dup360, | |
dup1545, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1546, | |
]), | |
}); | |
var all281 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup1547, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1548, | |
]), | |
}); | |
var all282 = all_match({ | |
processors: [ | |
dup99, | |
dup1549, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1550, | |
]), | |
}); | |
var msg598 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} (reason code = %{resultcode}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup1551, | |
]), | |
}); | |
var msg599 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1552, | |
]), | |
}); | |
var msg600 = match({ | |
dissect: { | |
tokenizer: "Deny traffic for local-host %{interface}:%{hostip}, license limit of %{fld1} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup1553, | |
]), | |
}); | |
var all283 = all_match({ | |
processors: [ | |
dup1554, | |
dup1555, | |
dup1556, | |
], | |
on_success: processor_chain([ | |
dup1557, | |
dup1558, | |
]), | |
}); | |
var all284 = all_match({ | |
processors: [ | |
dup1559, | |
dup1560, | |
dup1561, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1562, | |
]), | |
}); | |
var msg601 = match({ | |
dissect: { | |
tokenizer: "Device proposes %{fld1} cipher(s) to server %{interface}:%{hostip}/%{network_port}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1563, | |
]), | |
}); | |
var select125 = linear_select([ | |
all284, | |
msg601, | |
]); | |
var msg602 = match({ | |
dissect: { | |
tokenizer: "Call-Home %{info} message to %{web_host} delivered", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1564, | |
]), | |
}); | |
var msg603 = match({ | |
dissect: { | |
tokenizer: "Received KEEPALIVE response from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1565, | |
]), | |
}); | |
var all285 = all_match({ | |
processors: [ | |
dup1566, | |
dup1567, | |
dup1568, | |
], | |
on_success: processor_chain([ | |
dup767, | |
dup1569, | |
]), | |
}); | |
var msg604 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP URL Length exceeded. Received %{priority} byte URL - %{listnum} URI length exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1570, | |
]), | |
}); | |
var msg605 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Head end : %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1571, | |
]), | |
}); | |
var msg606 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Tunnel Rejected: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1572, | |
]), | |
}); | |
var msg607 = match({ | |
dissect: { | |
tokenizer: "GSN ip_addr tunnel limit %{fld1} exceeded, PDP Context TID %{fld2} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1573, | |
]), | |
}); | |
var msg608 = match({ | |
dissect: { | |
tokenizer: "LU SMNAME error = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1574, | |
]), | |
}); | |
var msg609 = match({ | |
dissect: { | |
tokenizer: "Access denied URL %{url} SRC %{saddr} DEST %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1575, | |
]), | |
}); | |
var msg610 = match({ | |
dissect: { | |
tokenizer: "Access denied URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1576, | |
]), | |
}); | |
var select126 = linear_select([ | |
msg609, | |
msg610, | |
]); | |
var all286 = all_match({ | |
processors: [ | |
dup1577, | |
dup603, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup1578, | |
]), | |
}); | |
var all287 = all_match({ | |
processors: [ | |
dup1471, | |
dup824, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1579, | |
]), | |
}); | |
var all288 = all_match({ | |
processors: [ | |
dup1471, | |
dup824, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1580, | |
]), | |
}); | |
var select127 = linear_select([ | |
all287, | |
all288, | |
]); | |
var msg611 = match({ | |
dissect: { | |
tokenizer: "Power Supply Unit Redundancy Lost%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1581, | |
]), | |
}); | |
var msg612 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1582, | |
]), | |
}); | |
var all289 = all_match({ | |
processors: [ | |
dup1583, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1584, | |
]), | |
}); | |
var all290 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1585, | |
]), | |
}); | |
var select128 = linear_select([ | |
all289, | |
all290, | |
]); | |
var msg613 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1586, | |
]), | |
}); | |
var msg614 = match({ | |
dissect: { | |
tokenizer: "Shared license backup server %{hostip} is not available", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1587, | |
]), | |
}); | |
var all291 = all_match({ | |
processors: [ | |
dup664, | |
dup1588, | |
dup1589, | |
dup1590, | |
dup1591, | |
dup1592, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1593, | |
]), | |
}); | |
var all292 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1594, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1595, | |
]), | |
}); | |
var all293 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1596, | |
dup1597, | |
dup1598, | |
dup1599, | |
dup1600, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1601, | |
]), | |
}); | |
var all294 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1602, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1603, | |
]), | |
}); | |
var select129 = linear_select([ | |
all293, | |
all294, | |
]); | |
var msg615 = match({ | |
dissect: { | |
tokenizer: "Rejected %{fld1} Hostscan data from IP \u003c\u003c%{saddr}\u003e. %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1604, | |
]), | |
}); | |
var all295 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup1607, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup1608, | |
]), | |
}); | |
var all296 = all_match({ | |
processors: [ | |
dup1609, | |
dup1610, | |
dup1611, | |
dup1612, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1613, | |
]), | |
}); | |
var all297 = all_match({ | |
processors: [ | |
dup1614, | |
dup1615, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1616, | |
]), | |
}); | |
var all298 = all_match({ | |
processors: [ | |
dup1617, | |
dup1615, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1618, | |
]), | |
}); | |
var all299 = all_match({ | |
processors: [ | |
dup1609, | |
dup1619, | |
dup1620, | |
dup1621, | |
dup1622, | |
dup1623, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1624, | |
]), | |
}); | |
var all300 = all_match({ | |
processors: [ | |
dup1609, | |
dup1619, | |
dup1620, | |
dup1625, | |
dup1626, | |
dup1627, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1628, | |
]), | |
}); | |
var msg616 = match({ | |
dissect: { | |
tokenizer: "%{duration} bytes %{bytes}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all301 = all_match({ | |
processors: [ | |
dup1609, | |
dup1629, | |
dup1620, | |
dup1630, | |
msg616, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1631, | |
]), | |
}); | |
var msg617 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1632, | |
]), | |
}); | |
var msg618 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1633, | |
]), | |
}); | |
var select130 = linear_select([ | |
all296, | |
all297, | |
all298, | |
all299, | |
all300, | |
all301, | |
msg617, | |
msg618, | |
]); | |
var all302 = all_match({ | |
processors: [ | |
dup1634, | |
dup1635, | |
dup1636, | |
dup1637, | |
dup1638, | |
dup446, | |
dup1639, | |
dup1640, | |
dup1641, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1642, | |
]), | |
}); | |
var msg619 = match({ | |
dissect: { | |
tokenizer: "The license on this ASA does not support dynamic filter updater feature.%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup1643, | |
]), | |
}); | |
var msg620 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect session lost connection. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1644, | |
]), | |
}); | |
var all303 = all_match({ | |
processors: [ | |
dup1645, | |
dup4, | |
dup1646, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1647, | |
]), | |
}); | |
var msg621 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1648, | |
]), | |
}); | |
var all304 = all_match({ | |
processors: [ | |
dup1649, | |
dup4, | |
dup1650, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1651, | |
]), | |
}); | |
var msg622 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1652, | |
]), | |
}); | |
var msg623 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator starting QM: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1653, | |
]), | |
}); | |
var select131 = linear_select([ | |
msg622, | |
msg623, | |
]); | |
var msg624 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1654, | |
]), | |
}); | |
var msg625 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} request failed URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup1655, | |
]), | |
}); | |
var msg626 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1656, | |
]), | |
}); | |
var msg627 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP %{saddr}, Rule: %{fld1} Client: %{fld2} - allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1657, | |
]), | |
}); | |
var msg628 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP %{saddr}, Rule: %{fld1} OS : %{fld3} Client: %{fld2} - NOT allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1658, | |
]), | |
}); | |
var select132 = linear_select([ | |
msg627, | |
msg628, | |
]); | |
var msg629 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1659, | |
]), | |
}); | |
var all305 = all_match({ | |
processors: [ | |
dup1660, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1661, | |
]), | |
}); | |
var all306 = all_match({ | |
processors: [ | |
dup1662, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1663, | |
]), | |
}); | |
var select133 = linear_select([ | |
all305, | |
all306, | |
]); | |
var msg630 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Mismatch: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1664, | |
]), | |
}); | |
var msg631 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1665, | |
]), | |
}); | |
var all307 = all_match({ | |
processors: [ | |
dup494, | |
dup495, | |
dup496, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1666, | |
]), | |
}); | |
var msg632 = match({ | |
dissect: { | |
tokenizer: "%{process}: Client requested address %{hostip}, request succeeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1667, | |
]), | |
}); | |
var msg633 = match({ | |
dissect: { | |
tokenizer: "%{process}: AAA assigned address %{hostip} succeeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1668, | |
]), | |
}); | |
var select134 = linear_select([ | |
msg632, | |
msg633, | |
]); | |
var msg634 = match({ | |
dissect: { | |
tokenizer: "Free unallocated global IP address.%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1669, | |
]), | |
}); | |
var all308 = all_match({ | |
processors: [ | |
dup324, | |
dup1670, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1671, | |
]), | |
}); | |
var all309 = all_match({ | |
processors: [ | |
dup393, | |
dup1672, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1673, | |
]), | |
}); | |
var all310 = all_match({ | |
processors: [ | |
dup396, | |
dup1674, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1675, | |
]), | |
}); | |
var all311 = all_match({ | |
processors: [ | |
dup1676, | |
dup1677, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1678, | |
]), | |
}); | |
var msg635 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1679, | |
]), | |
}); | |
var select135 = linear_select([ | |
all309, | |
all310, | |
all311, | |
msg635, | |
]); | |
var msg636 = match({ | |
dissect: { | |
tokenizer: "Fragment database limit of %{fld1} exceeded: %{space} src = %{saddr}, %{space} dest = %{daddr}, proto = %{protocol}, id = %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1680, | |
]), | |
}); | |
var msg637 = match({ | |
dissect: { | |
tokenizer: "Denied manager connection from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1681, | |
]), | |
}); | |
var msg638 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1682, | |
]), | |
}); | |
var msg639 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1683, | |
]), | |
}); | |
var msg640 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup1684, | |
]), | |
}); | |
var msg641 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup1685, | |
]), | |
}); | |
var msg642 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1686, | |
]), | |
}); | |
var all312 = all_match({ | |
processors: [ | |
dup421, | |
dup1687, | |
dup1688, | |
dup1689, | |
dup1690, | |
dup1691, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1692, | |
]), | |
}); | |
var msg643 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all313 = all_match({ | |
processors: [ | |
dup1693, | |
msg643, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1694, | |
]), | |
}); | |
var all314 = all_match({ | |
processors: [ | |
dup1695, | |
dup1696, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1697, | |
]), | |
}); | |
var msg644 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1698, | |
]), | |
}); | |
var msg645 = match({ | |
dissect: { | |
tokenizer: "%{service} error, slot = %{fld1}, device = %{fld2}, address = %{fld3}, byte count = %{bytes}. Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1699, | |
]), | |
}); | |
var msg646 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1700, | |
]), | |
}); | |
var msg647 = match({ | |
dissect: { | |
tokenizer: "GTPv version %{fld1} from %{sinterface}:%{saddr}/%{sport} not accepted by %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1701, | |
]), | |
}); | |
var msg648 = match({ | |
dissect: { | |
tokenizer: "IP = %{daddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1702, | |
]), | |
}); | |
var msg649 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1703, | |
]), | |
}); | |
var msg650 = match({ | |
dissect: { | |
tokenizer: "Sent TOPOLOGY indicator to %{space} [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1704, | |
]), | |
}); | |
var msg651 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1705, | |
]), | |
}); | |
var msg652 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1706, | |
]), | |
}); | |
var msg653 = match({ | |
dissect: { | |
tokenizer: "Tunnel Manager dispatching a %{fld3} message to IKEv1. Map Tag = %{fld1}. Map Sequence Number = %{fld2}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1707, | |
]), | |
}); | |
var msg654 = match({ | |
dissect: { | |
tokenizer: "Local CA Server internal error detected: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1708, | |
]), | |
}); | |
var msg655 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1709, | |
]), | |
}); | |
var all315 = all_match({ | |
processors: [ | |
dup1710, | |
dup1711, | |
dup1712, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1713, | |
]), | |
}); | |
var msg656 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport} due to DNS %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1714, | |
]), | |
}); | |
var msg657 = match({ | |
dissect: { | |
tokenizer: "LU create static xlate %{hostip} ifc %{interface} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1715, | |
]), | |
}); | |
var msg658 = match({ | |
dissect: { | |
tokenizer: "ike_DelOldCentryAndCreateNew(): %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1716, | |
]), | |
}); | |
var all316 = all_match({ | |
processors: [ | |
dup1527, | |
dup1717, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1718, | |
]), | |
}); | |
var msg659 = match({ | |
dissect: { | |
tokenizer: "Unable to contruct xauth message, no message%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1719, | |
]), | |
}); | |
var select136 = linear_select([ | |
msg658, | |
all316, | |
msg659, | |
]); | |
var all317 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1720, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1721, | |
]), | |
}); | |
var msg660 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKEGetUserAttributes: %{change_attribute} = %{change_new}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1722, | |
]), | |
}); | |
var select137 = linear_select([ | |
all317, | |
msg660, | |
]); | |
var msg661 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1723, | |
]), | |
}); | |
var msg662 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1724, | |
]), | |
}); | |
var msg663 = match({ | |
dissect: { | |
tokenizer: "Send OOS indicator failure to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1725, | |
]), | |
}); | |
var msg664 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1726, | |
]), | |
}); | |
var all318 = all_match({ | |
processors: [ | |
dup1727, | |
dup1728, | |
dup1729, | |
dup1730, | |
dup1731, | |
dup1732, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1733, | |
]), | |
}); | |
var all319 = all_match({ | |
processors: [ | |
dup1727, | |
dup1728, | |
dup1729, | |
dup1734, | |
dup1731, | |
dup446, | |
dup1735, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1736, | |
]), | |
}); | |
var select138 = linear_select([ | |
all318, | |
all319, | |
]); | |
var msg665 = match({ | |
dissect: { | |
tokenizer: "Denied invalid %{protocol} code %{icmpcode}, for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3}), ICMP id %{fld4}, ICMP type %{icmptype}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1737, | |
]), | |
}); | |
var all320 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1738, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1739, | |
]), | |
}); | |
var msg666 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit %{fld1}/%{fld2} for through connections exceeded. %{saddr}/%{sport} to %{daddr} (%{fld3})/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1740, | |
]), | |
}); | |
var msg667 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit for through connections exceeded %{fld1}. %{saddr}/%{sport} to %{daddr} (%{fld2})/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1741, | |
]), | |
}); | |
var select139 = linear_select([ | |
msg666, | |
msg667, | |
]); | |
var all321 = all_match({ | |
processors: [ | |
dup1742, | |
], | |
on_success: processor_chain([ | |
dup1743, | |
dup1744, | |
]), | |
}); | |
var msg668 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1745, | |
]), | |
}); | |
var msg669 = match({ | |
dissect: { | |
tokenizer: "IP address collision detected between host %{hostip} at %{smacaddr} and interface %{dinterface}, %{dmacaddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1746, | |
dup1747, | |
]), | |
}); | |
var msg670 = match({ | |
dissect: { | |
tokenizer: "[%{protocol}] %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup1748, | |
]), | |
}); | |
var msg671 = match({ | |
dissect: { | |
tokenizer: "Failed to authenticate with dynamic filter updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1749, | |
]), | |
}); | |
var msg672 = match({ | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys} was deleted from the %{product}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1750, | |
]), | |
}); | |
var msg673 = match({ | |
dissect: { | |
tokenizer: "Group = %{host}, IP = %{daddr}, Unknown identification type, Phase %{fld1}, Type %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1751, | |
dup1752, | |
]), | |
}); | |
var all322 = all_match({ | |
processors: [ | |
dup1753, | |
dup1754, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1755, | |
]), | |
}); | |
var msg674 = match({ | |
dissect: { | |
tokenizer: "SSL Server %{interface}:%{hostip}/%{network_port} choose cipher : %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1756, | |
]), | |
}); | |
var all323 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1757, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1758, | |
]), | |
}); | |
var msg675 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1759, | |
]), | |
}); | |
var msg676 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1760, | |
]), | |
}); | |
var msg677 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1761, | |
]), | |
}); | |
var msg678 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Initiator sending Initial Contact", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1762, | |
]), | |
}); | |
var msg679 = match({ | |
dissect: { | |
tokenizer: "Received HELLO response from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1763, | |
]), | |
}); | |
var msg680 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1764, | |
]), | |
}); | |
var msg681 = match({ | |
dissect: { | |
tokenizer: "LU loading standby start%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1765, | |
]), | |
}); | |
var msg682 = match({ | |
dissect: { | |
tokenizer: "Built inbound GRE connection %{connectionid} from %{sinterface}:%{saddr} (%{stransaddr}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1766, | |
]), | |
}); | |
var msg683 = match({ | |
dissect: { | |
tokenizer: "Built outbound GRE connection %{connectionid} from %{dinterface}:%{daddr} (%{dtransaddr}) to %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1767, | |
]), | |
}); | |
var select140 = linear_select([ | |
msg682, | |
msg683, | |
]); | |
var msg684 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} payload type: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1768, | |
]), | |
}); | |
var msg685 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} permit url %{url} hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1769, | |
]), | |
}); | |
var msg686 = match({ | |
dissect: { | |
tokenizer: "Teardown UDP connection for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1770, | |
]), | |
}); | |
var msg687 = match({ | |
dissect: { | |
tokenizer: "Teardown UDP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1771, | |
]), | |
}); | |
var select141 = linear_select([ | |
msg686, | |
msg687, | |
]); | |
var msg688 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1772, | |
]), | |
}); | |
var msg689 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} Negotiation aborted due to ERROR: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1773, | |
]), | |
}); | |
var msg690 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} %{severity} Configuration Payload request for attribute %{obj_name} could not be processed. Error: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1774, | |
]), | |
}); | |
var all324 = all_match({ | |
processors: [ | |
dup1775, | |
dup1776, | |
dup452, | |
dup1777, | |
dup74, | |
dup1778, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1779, | |
]), | |
}); | |
var all325 = all_match({ | |
processors: [ | |
dup1775, | |
dup610, | |
dup1780, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1781, | |
]), | |
}); | |
var select142 = linear_select([ | |
all324, | |
all325, | |
]); | |
var all326 = all_match({ | |
processors: [ | |
dup1782, | |
dup1783, | |
dup1784, | |
dup1785, | |
dup1786, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1787, | |
]), | |
}); | |
var all327 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1788, | |
]), | |
}); | |
var msg691 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1789, | |
]), | |
}); | |
var all328 = all_match({ | |
processors: [ | |
dup1790, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup1791, | |
dup1792, | |
]), | |
}); | |
var all329 = all_match({ | |
processors: [ | |
dup714, | |
dup1793, | |
dup1794, | |
dup1795, | |
dup1796, | |
dup1778, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1797, | |
]), | |
}); | |
var all330 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1798, | |
], | |
on_success: processor_chain([ | |
dup1799, | |
dup1800, | |
]), | |
}); | |
var all331 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1801, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1802, | |
]), | |
}); | |
var msg692 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Remote peer has failed user authentication - %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1803, | |
]), | |
}); | |
var select143 = linear_select([ | |
all331, | |
msg692, | |
]); | |
var all332 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1804, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1805, | |
]), | |
}); | |
var msg693 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Client Type: %{product} Client Application Version: %{version}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1806, | |
]), | |
}); | |
var select144 = linear_select([ | |
all332, | |
msg693, | |
]); | |
var all333 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup1808, | |
dup1809, | |
dup1786, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1810, | |
]), | |
}); | |
var msg694 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} connection spoof from %{saddr} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1811, | |
]), | |
}); | |
var msg695 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1812, | |
]), | |
}); | |
var msg696 = match({ | |
dissect: { | |
tokenizer: "Successfully downloaded dynamic filter data file from updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1813, | |
]), | |
}); | |
var msg697 = match({ | |
dissect: { | |
tokenizer: "Rec'd packet not an PPTP packet. (%{service}) dest_addr=%{daddr}, src_addr=%{saddr}, data: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup1814, | |
]), | |
}); | |
var msg698 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Tunnel Rejected: %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1815, | |
]), | |
}); | |
var msg699 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Testing on interface %{interface} %{disposition}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1816, | |
]), | |
}); | |
var msg700 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1817, | |
]), | |
}); | |
var msg701 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} requires RADIUS for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1818, | |
]), | |
}); | |
var msg702 = match({ | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip} writing to %{device}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1819, | |
]), | |
}); | |
var msg703 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map = %{fld1}, seq = %{fld2}, no ACL configured", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1820, | |
]), | |
}); | |
var msg704 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1821, | |
]), | |
}); | |
var msg705 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: rec'd IPSEC packet has invalid spi for destaddr=%{daddr}, prot=%{protocol}, spi=%{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1822, | |
]), | |
}); | |
var msg706 = match({ | |
dissect: { | |
tokenizer: "%{product}: Received an ICMP Destination Unreachable from %{saddr},%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1823, | |
]), | |
}); | |
var all334 = all_match({ | |
processors: [ | |
dup1824, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1825, | |
]), | |
}); | |
var msg707 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{action} (P2 struct %{fld11}, mess id %{fld12})!", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all335 = all_match({ | |
processors: [ | |
dup1826, | |
msg707, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1827, | |
]), | |
}); | |
var msg708 = match({ | |
dissect: { | |
tokenizer: "%{saddr} , %{action}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all336 = all_match({ | |
processors: [ | |
dup1826, | |
msg708, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1828, | |
]), | |
}); | |
var select145 = linear_select([ | |
all334, | |
all335, | |
all336, | |
]); | |
var msg709 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1829, | |
]), | |
}); | |
var msg710 = match({ | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1}: OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1830, | |
]), | |
}); | |
var msg711 = match({ | |
dissect: { | |
tokenizer: "Local:%{saddr}:%{sport} Remote:%{daddr}:%{dport} Username:%{username} Configured attribute not supported for IKEv2. Attribute: %{obj_name}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1831, | |
]), | |
}); | |
var msg712 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1832, | |
]), | |
}); | |
var all337 = all_match({ | |
processors: [ | |
dup1833, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1834, | |
]), | |
}); | |
var msg713 = match({ | |
dissect: { | |
tokenizer: "Start VPN Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1835, | |
]), | |
}); | |
var all338 = all_match({ | |
processors: [ | |
dup1836, | |
dup4, | |
dup1837, | |
], | |
on_success: processor_chain([ | |
dup1838, | |
dup1839, | |
]), | |
}); | |
var msg714 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1840, | |
]), | |
}); | |
var msg715 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{saddr} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1841, | |
dup1842, | |
]), | |
}); | |
var msg716 = match({ | |
dissect: { | |
tokenizer: "%{product}: Received an ICMP Destination Unreachable from %{saddr} with %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1843, | |
]), | |
}); | |
var msg717 = match({ | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr} (%{result}) on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1844, | |
dup1845, | |
]), | |
}); | |
var msg718 = match({ | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr} (%{result})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1844, | |
dup1846, | |
]), | |
}); | |
var select146 = linear_select([ | |
msg717, | |
msg718, | |
]); | |
var msg719 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1847, | |
]), | |
}); | |
var msg720 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) Enable APCF XML file path %{filename} on the standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1848, | |
]), | |
}); | |
var msg721 = match({ | |
dissect: { | |
tokenizer: "Non-embryonic in embryonic list %{saddr}/%{sport} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1849, | |
]), | |
}); | |
var all339 = all_match({ | |
processors: [ | |
dup1850, | |
dup4, | |
dup1851, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1852, | |
]), | |
}); | |
var msg722 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1853, | |
]), | |
}); | |
var all340 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup1854, | |
], | |
on_success: processor_chain([ | |
dup1855, | |
dup1856, | |
]), | |
}); | |
var all341 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1857, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1858, | |
]), | |
}); | |
var msg723 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, MODE_CFG: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1859, | |
]), | |
}); | |
var select147 = linear_select([ | |
all341, | |
msg723, | |
]); | |
var msg724 = match({ | |
dissect: { | |
tokenizer: "user-identity: [FQDN] %{domain} address %{hostip} obsolete", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1860, | |
]), | |
}); | |
var msg725 = match({ | |
dissect: { | |
tokenizer: "Local CA Server CRL info: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup1861, | |
]), | |
}); | |
var all342 = all_match({ | |
processors: [ | |
dup1862, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1863, | |
]), | |
}); | |
var msg726 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1864, | |
]), | |
}); | |
var msg727 = match({ | |
dissect: { | |
tokenizer: "The \u003c\u003c%{fld1}\u003e certificate in the trustpoint \u003c\u003c%{cert_hostname}\u003e has expired. Expiration \u003c\u003c%{fld2}\u003e Subject Name \u003c\u003c%{cert_subject}\u003e Issuer Name \u003c\u003c%{dn}\u003e Serial Number \u003c\u003c%{serial_number}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1865, | |
]), | |
}); | |
var msg728 = match({ | |
dissect: { | |
tokenizer: "%{protocol} connection limit exceeded from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1866, | |
]), | |
}); | |
var msg729 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport} denied due to NAT reverse path failure", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all343 = all_match({ | |
processors: [ | |
dup1867, | |
dup1868, | |
msg729, | |
], | |
on_success: processor_chain([ | |
dup412, | |
dup1869, | |
]), | |
}); | |
var msg730 = match({ | |
dissect: { | |
tokenizer: "%{result}; Connection for %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode}) denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1870, | |
]), | |
}); | |
var msg731 = match({ | |
dissect: { | |
tokenizer: "%{result}; Connection for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1871, | |
]), | |
}); | |
var select148 = linear_select([ | |
all343, | |
msg730, | |
msg731, | |
]); | |
var msg732 = match({ | |
dissect: { | |
tokenizer: "Route update for IP address %{daddr} to %{fld1} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1872, | |
]), | |
}); | |
var msg733 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} rate log level of %{fld2} %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1873, | |
]), | |
}); | |
var all344 = all_match({ | |
processors: [ | |
dup687, | |
dup688, | |
dup1874, | |
dup690, | |
dup74, | |
dup691, | |
dup692, | |
dup693, | |
dup694, | |
dup695, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1875, | |
]), | |
}); | |
var msg734 = match({ | |
dissect: { | |
tokenizer: "Deny traffic for protocol %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}, licensed host limit of %{fld1} exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup1876, | |
]), | |
}); | |
var msg735 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1877, | |
]), | |
}); | |
var msg736 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{fld6}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1841, | |
dup1878, | |
]), | |
}); | |
var msg737 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Link status 'Up' on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1879, | |
]), | |
}); | |
var msg738 = match({ | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp request received from host %{smacaddr} on interface %{interface}.%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1880, | |
]), | |
}); | |
var all345 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup1881, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1882, | |
]), | |
}); | |
var all346 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup1883, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1884, | |
]), | |
}); | |
var all347 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup1885, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1886, | |
]), | |
}); | |
var all348 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup1887, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1888, | |
]), | |
}); | |
var select149 = linear_select([ | |
all345, | |
all346, | |
all347, | |
all348, | |
]); | |
var msg739 = match({ | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1}: Fan OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1889, | |
]), | |
}); | |
var msg740 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1890, | |
]), | |
}); | |
var msg741 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1891, | |
]), | |
}); | |
var select150 = linear_select([ | |
msg740, | |
msg741, | |
]); | |
var all349 = all_match({ | |
processors: [ | |
dup1301, | |
dup1892, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1893, | |
]), | |
}); | |
var msg742 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type not found - %{listnum} Content Verification Failed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1894, | |
]), | |
}); | |
var msg743 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type not found - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1895, | |
]), | |
}); | |
var select151 = linear_select([ | |
msg742, | |
msg743, | |
]); | |
var msg744 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Header length exceeded. Received %{priority} byte Header - %{listnum} header length exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1896, | |
]), | |
}); | |
var msg745 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1897, | |
]), | |
}); | |
var msg746 = match({ | |
dissect: { | |
tokenizer: "Sent HELLO response to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1898, | |
]), | |
}); | |
var msg747 = match({ | |
dissect: { | |
tokenizer: "Dynamic DNS Update for '%{domain}' \u003c\u003c=\u003e %{hostip} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup1899, | |
]), | |
}); | |
var msg748 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1900, | |
]), | |
}); | |
var msg749 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1901, | |
]), | |
}); | |
var msg750 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1902, | |
]), | |
}); | |
var all350 = all_match({ | |
processors: [ | |
dup1319, | |
dup4, | |
dup1903, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1904, | |
]), | |
}); | |
var msg751 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Lost Failover communications with mate on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup1905, | |
]), | |
}); | |
var all351 = all_match({ | |
processors: [ | |
dup1906, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1907, | |
]), | |
}); | |
var msg752 = match({ | |
dissect: { | |
tokenizer: "(FUNCTION:%{fld1}) pix clear %{fld2} return %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1908, | |
]), | |
}); | |
var msg753 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1909, | |
]), | |
}); | |
var msg754 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1910, | |
]), | |
}); | |
var msg755 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup1911, | |
]), | |
}); | |
var msg756 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{result}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1912, | |
]), | |
}); | |
var all352 = all_match({ | |
processors: [ | |
dup1913, | |
dup1914, | |
dup1915, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup1919, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup1920, | |
]), | |
}); | |
var msg757 = match({ | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service} response", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup1921, | |
]), | |
}); | |
var all353 = all_match({ | |
processors: [ | |
dup1922, | |
dup1914, | |
dup1915, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup1919, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup1923, | |
]), | |
}); | |
var select152 = linear_select([ | |
all352, | |
msg757, | |
all353, | |
]); | |
var msg758 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1924, | |
]), | |
}); | |
var msg759 = match({ | |
dissect: { | |
tokenizer: "DAP: Processing error: Code %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1925, | |
]), | |
}); | |
var msg760 = match({ | |
dissect: { | |
tokenizer: "%{application}: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1926, | |
]), | |
}); | |
var msg761 = match({ | |
dissect: { | |
tokenizer: "SFR requested ASA to bypass further packet redirection and process %{protocol} flow from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} locally", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1927, | |
]), | |
}); | |
var msg762 = match({ | |
dissect: { | |
tokenizer: "Denied SSH session from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1928, | |
]), | |
}); | |
var msg763 = match({ | |
dissect: { | |
tokenizer: "Portmapped translation built for gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1929, | |
]), | |
}); | |
var all354 = all_match({ | |
processors: [ | |
dup1930, | |
dup570, | |
dup1931, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup1932, | |
]), | |
}); | |
var msg764 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1933, | |
]), | |
}); | |
var msg765 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1934, | |
]), | |
}); | |
var all355 = all_match({ | |
processors: [ | |
dup1935, | |
dup895, | |
dup1936, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1937, | |
]), | |
}); | |
var msg766 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1938, | |
dup1939, | |
]), | |
}); | |
var msg767 = match({ | |
dissect: { | |
tokenizer: "%{action} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1940, | |
]), | |
}); | |
var msg768 = match({ | |
dissect: { | |
tokenizer: "%{application}: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1941, | |
]), | |
}); | |
var msg769 = match({ | |
dissect: { | |
tokenizer: "%{group}: %{fld1} Neighbor %{saddr} (%{interface}) is %{event_state}: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1942, | |
]), | |
}); | |
var msg770 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1943, | |
]), | |
}); | |
var msg771 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1944, | |
]), | |
}); | |
var msg772 = match({ | |
dissect: { | |
tokenizer: "Clustering: Found a split cluster with both %{fld1} and %{fld2} as master units. Master role retained by %{fld3}, %{fld4} will leave then join as a slave", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1945, | |
]), | |
}); | |
var msg773 = match({ | |
dissect: { | |
tokenizer: "Unable to send an %{protocol} response to IP Address %{daddr} Port %{dport} interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1946, | |
]), | |
}); | |
var msg774 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1947, | |
]), | |
}); | |
var msg775 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup1948, | |
]), | |
}); | |
var msg776 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map %{fld1}, seq = %{fld2} is a successful match", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1949, | |
]), | |
}); | |
var msg777 = match({ | |
dissect: { | |
tokenizer: "Certificate chain failed validation. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1950, | |
]), | |
}); | |
var msg778 = match({ | |
dissect: { | |
tokenizer: "No management IP address configured for transparent firewall. %{result} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1951, | |
]), | |
}); | |
var msg779 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1952, | |
]), | |
}); | |
var msg780 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1953, | |
]), | |
}); | |
var msg781 = match({ | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid} from %{hostip} ended", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1954, | |
]), | |
}); | |
var msg782 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1955, | |
]), | |
}); | |
var all356 = all_match({ | |
processors: [ | |
dup1956, | |
dup1957, | |
dup1958, | |
dup1959, | |
], | |
on_success: processor_chain([ | |
dup1960, | |
dup1961, | |
]), | |
}); | |
var msg783 = match({ | |
dissect: { | |
tokenizer: "Unable to receive an %{protocol} request on interface %{interface}, error code = %{resultcode}, will try again.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1962, | |
]), | |
}); | |
var msg784 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1963, | |
]), | |
}); | |
var all357 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1964, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1965, | |
]), | |
}); | |
var msg785 = match({ | |
dissect: { | |
tokenizer: "%{protocol} access denied by ACL from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1966, | |
]), | |
}); | |
var all358 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1967, | |
]), | |
}); | |
var msg786 = match({ | |
dissect: { | |
tokenizer: "Group %{fld0} User %{username} IP %{saddr} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1968, | |
]), | |
}); | |
var msg787 = match({ | |
dissect: { | |
tokenizer: "Local CA Server CRL error: %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1969, | |
]), | |
}); | |
var all359 = all_match({ | |
processors: [ | |
dup1970, | |
dup1957, | |
dup1958, | |
dup1971, | |
dup1972, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1973, | |
]), | |
}); | |
var msg788 = match({ | |
dissect: { | |
tokenizer: "Shared license register request failed, Reason:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1974, | |
]), | |
}); | |
var msg789 = match({ | |
dissect: { | |
tokenizer: "Failed to decrypt downloaded dynamic filter database file%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup1975, | |
]), | |
}); | |
var all360 = all_match({ | |
processors: [ | |
dup1976, | |
dup1977, | |
dup1978, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup1979, | |
]), | |
}); | |
var all361 = all_match({ | |
processors: [ | |
dup1980, | |
], | |
on_success: processor_chain([ | |
dup1981, | |
dup1982, | |
]), | |
}); | |
var all362 = all_match({ | |
processors: [ | |
dup1983, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1984, | |
]), | |
}); | |
var msg790 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received DPD sequence number %{fld1} in R_U_THERE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1985, | |
]), | |
}); | |
var all363 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1986, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1987, | |
]), | |
}); | |
var msg791 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup1988, | |
]), | |
}); | |
var all364 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup1989, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1990, | |
]), | |
}); | |
var msg792 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, Detected Hardware Client in network extension mode, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1991, | |
]), | |
}); | |
var all365 = all_match({ | |
processors: [ | |
dup1992, | |
dup1993, | |
dup1994, | |
dup1995, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1996, | |
]), | |
}); | |
var msg793 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup1997, | |
]), | |
}); | |
var all366 = all_match({ | |
processors: [ | |
dup1998, | |
dup71, | |
dup1999, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2000, | |
]), | |
}); | |
var msg794 = match({ | |
dissect: { | |
tokenizer: "%{service} daemon interface %{interface}: Authentication failed for packet from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup2001, | |
]), | |
}); | |
var msg795 = match({ | |
dissect: { | |
tokenizer: "Deny IP due to Land Attack from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2002, | |
]), | |
}); | |
var msg796 = match({ | |
dissect: { | |
tokenizer: "Packet contains ActiveX content and has been modified src %{saddr} dest to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2003, | |
dup2004, | |
]), | |
}); | |
var select153 = linear_select([ | |
msg795, | |
msg796, | |
]); | |
var msg797 = match({ | |
dissect: { | |
tokenizer: "ActiveX content modified src %{saddr} dest %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup2005, | |
]), | |
}); | |
var msg798 = match({ | |
dissect: { | |
tokenizer: "Duplicate entry already in Tunnel Manager%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2006, | |
]), | |
}); | |
var msg799 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup2007, | |
]), | |
}); | |
var msg800 = match({ | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr} to PAT address %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2008, | |
]), | |
}); | |
var msg801 = match({ | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr} to address %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2009, | |
]), | |
}); | |
var select154 = linear_select([ | |
msg800, | |
msg801, | |
]); | |
var all367 = all_match({ | |
processors: [ | |
dup1056, | |
dup4, | |
dup2010, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup2011, | |
]), | |
}); | |
var msg802 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup2012, | |
]), | |
}); | |
var all368 = all_match({ | |
processors: [ | |
dup1422, | |
dup2013, | |
dup2014, | |
], | |
on_success: processor_chain([ | |
dup1855, | |
dup2015, | |
]), | |
}); | |
var msg803 = match({ | |
dissect: { | |
tokenizer: "FTP port command low port: %{saddr}/%{sport} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup227, | |
dup2016, | |
]), | |
}); | |
var msg804 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{saddr} AP:%{access_point}: *%{event_time_string}: %DOT11-6-ASSOC: Interface %{interface}, Station %{macaddr} REAP Associated KEY_MGMT[%{fld6}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2017, | |
]), | |
}); | |
var msg805 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{saddr} AP:%{access_point}: *%{event_time_string}: %DOT11-6-DISASSOC: Interface %{interface}, Deauthenticating Station %{macaddr} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2018, | |
]), | |
}); | |
var msg806 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{agent}[%{process_id}]: pam_unix(%{service}): session opened for user %{username} by (uid=%{uid})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup2019, | |
]), | |
}); | |
var msg807 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{agent}[%{process_id}]: pam_unix(%{service}): session closed for user %{username}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup2020, | |
]), | |
}); | |
var msg808 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1841, | |
dup2021, | |
]), | |
}); | |
var msg809 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1841, | |
dup2022, | |
]), | |
}); | |
var select155 = linear_select([ | |
msg804, | |
msg805, | |
msg806, | |
msg807, | |
msg808, | |
msg809, | |
]); | |
var msg810 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup2023, | |
]), | |
}); | |
var msg811 = match({ | |
dissect: { | |
tokenizer: "Per-client connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2024, | |
]), | |
}); | |
var msg812 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup2025, | |
]), | |
}); | |
var all369 = all_match({ | |
processors: [ | |
dup2026, | |
dup2027, | |
dup2028, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2029, | |
]), | |
}); | |
var msg813 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup2030, | |
]), | |
}); | |
var msg814 = match({ | |
dissect: { | |
tokenizer: "area %{fld1} lsid %{fld2} mask %{fld3} adv %{fld4} type %{fld5}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2031, | |
]), | |
}); | |
var all370 = all_match({ | |
processors: [ | |
dup2032, | |
dup2033, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2034, | |
]), | |
}); | |
var all371 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2035, | |
]), | |
}); | |
var msg815 = match({ | |
dissect: { | |
tokenizer: "IPFRAG: Unable to allocate frag record for %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2036, | |
]), | |
}); | |
var msg816 = match({ | |
dissect: { | |
tokenizer: "LU recv thread up%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2037, | |
]), | |
}); | |
var all372 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup2038, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2039, | |
]), | |
}); | |
var msg817 = match({ | |
dissect: { | |
tokenizer: "%{action} Issuer: %{dn}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2040, | |
]), | |
}); | |
var msg818 = match({ | |
dissect: { | |
tokenizer: "%{fld2} Doesn't have a transform set specified", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2041, | |
]), | |
}); | |
var msg819 = match({ | |
dissect: { | |
tokenizer: "No matching request to process GTPv %{fld2} %{fld3} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2042, | |
]), | |
}); | |
var msg820 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} rcvd pkt with invalid protocol: %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2043, | |
]), | |
}); | |
var msg821 = match({ | |
dissect: { | |
tokenizer: "Group = %{group} IP = %{saddr}, %{action}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2044, | |
]), | |
}); | |
var msg822 = match({ | |
dissect: { | |
tokenizer: "Tunnel Manager Removed entry. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2045, | |
]), | |
}); | |
var msg823 = match({ | |
dissect: { | |
tokenizer: "TCP connection limit of %{dclass_counter1} for host %{hostip} on %{interface} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2046, | |
]), | |
}); | |
var msg824 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup2047, | |
]), | |
}); | |
var all373 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup2048, | |
dup499, | |
dup2049, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup2050, | |
]), | |
}); | |
var msg825 = match({ | |
dissect: { | |
tokenizer: "%{fld1} %{fld2} %{fld3}:%{fld4}:%{fld5} %{fld6}: [%{fld7}] %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1841, | |
dup2051, | |
]), | |
}); | |
var all374 = all_match({ | |
processors: [ | |
dup2052, | |
dup802, | |
dup2053, | |
dup2054, | |
dup2055, | |
], | |
on_success: processor_chain([ | |
dup2056, | |
dup2057, | |
]), | |
}); | |
var msg826 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (Connection marked for Deletion) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{network_service} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2058, | |
]), | |
}); | |
var select156 = linear_select([ | |
all374, | |
msg826, | |
]); | |
var all375 = all_match({ | |
processors: [ | |
dup1609, | |
dup1610, | |
dup2059, | |
dup2060, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2061, | |
]), | |
}); | |
var all376 = all_match({ | |
processors: [ | |
dup2062, | |
dup2063, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2064, | |
]), | |
}); | |
var all377 = all_match({ | |
processors: [ | |
dup1609, | |
dup2065, | |
dup2066, | |
dup2067, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2068, | |
]), | |
}); | |
var all378 = all_match({ | |
processors: [ | |
dup2069, | |
dup2070, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2071, | |
]), | |
}); | |
var all379 = all_match({ | |
processors: [ | |
dup1609, | |
dup2072, | |
dup2073, | |
dup2074, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2075, | |
]), | |
}); | |
var all380 = all_match({ | |
processors: [ | |
dup2076, | |
dup2077, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2078, | |
]), | |
}); | |
var select157 = linear_select([ | |
all375, | |
all376, | |
all377, | |
all378, | |
all379, | |
all380, | |
]); | |
var msg827 = match({ | |
dissect: { | |
tokenizer: "Failed to inject TCP packet from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2079, | |
]), | |
}); | |
var all381 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2080, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2081, | |
]), | |
}); | |
var all382 = all_match({ | |
processors: [ | |
dup99, | |
dup2082, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2083, | |
]), | |
}); | |
var select158 = linear_select([ | |
all381, | |
all382, | |
]); | |
var all383 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup2084, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup2085, | |
]), | |
}); | |
var msg828 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup2086, | |
]), | |
}); | |
var msg829 = match({ | |
dissect: { | |
tokenizer: "To ensure Smart Call Home can properly communicate with Cisco, use the command \"%{action}\" to configure at least one DNS server.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2087, | |
]), | |
}); | |
var msg830 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup2088, | |
]), | |
}); | |
var msg831 = match({ | |
dissect: { | |
tokenizer: "No matching connection for ICMP error message: icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode}) on %{interface} interface. Original IP payload:%{info}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2089, | |
]), | |
}); | |
var msg832 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2090, | |
]), | |
}); | |
var msg833 = match({ | |
dissect: { | |
tokenizer: "Device failed SSL handshake with client %{interface}:%{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2091, | |
dup2092, | |
]), | |
}); | |
var msg834 = match({ | |
dissect: { | |
tokenizer: "Device failed SSL handshake with %{interface}:%{hostip}/%{network_port}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2091, | |
dup2093, | |
]), | |
}); | |
var select159 = linear_select([ | |
msg833, | |
msg834, | |
]); | |
var msg835 = match({ | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1}: Fan Failure Detected", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2094, | |
]), | |
}); | |
var all384 = all_match({ | |
processors: [ | |
dup2095, | |
dup2096, | |
dup2097, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup2098, | |
dup2099, | |
]), | |
}); | |
var msg836 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2100, | |
]), | |
}); | |
var msg837 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2101, | |
]), | |
}); | |
var all385 = all_match({ | |
processors: [ | |
dup2102, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup2103, | |
]), | |
}); | |
var all386 = all_match({ | |
processors: [ | |
dup823, | |
dup1472, | |
dup1473, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2104, | |
]), | |
}); | |
var all387 = all_match({ | |
processors: [ | |
dup823, | |
dup1472, | |
dup1475, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2105, | |
]), | |
}); | |
var select160 = linear_select([ | |
all386, | |
all387, | |
]); | |
var msg838 = match({ | |
dissect: { | |
tokenizer: "Received packet with missing payload, Expected payload: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup2106, | |
]), | |
}); | |
var msg839 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2107, | |
]), | |
}); | |
var all388 = all_match({ | |
processors: [ | |
dup2108, | |
dup2109, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup2110, | |
]), | |
}); | |
var all389 = all_match({ | |
processors: [ | |
dup2111, | |
dup2112, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup2113, | |
]), | |
}); | |
var msg840 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type does not match specified type - %{listnum} Content Verification Failed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2114, | |
]), | |
}); | |
var msg841 = match({ | |
dissect: { | |
tokenizer: "PPTP session state not established, but received an XGRE packet, tunnel_id=%{fld1}, session_id=%{sessionid}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2115, | |
]), | |
}); | |
var all390 = all_match({ | |
processors: [ | |
dup651, | |
dup2116, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2117, | |
]), | |
}); | |
var all391 = all_match({ | |
processors: [ | |
dup651, | |
dup2116, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2118, | |
]), | |
}); | |
var select161 = linear_select([ | |
all390, | |
all391, | |
]); | |
var msg842 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2119, | |
]), | |
}); | |
var msg843 = match({ | |
dissect: { | |
tokenizer: "Module in slot%{fld1}is not able to reload.%{space}Module Error:%{fld2} %{data}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2120, | |
]), | |
}); | |
var msg844 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP protocol violation detected - %{listnum} HTTP Protocol not detected from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2121, | |
]), | |
}); | |
var msg845 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2122, | |
]), | |
}); | |
var msg846 = match({ | |
dissect: { | |
tokenizer: "Power Supply Unit Redundancy OK%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2123, | |
]), | |
}); | |
var msg847 = match({ | |
dissect: { | |
tokenizer: "CLOCK: %{fld1}, source: %{fld2}, IP: %{saddr}, before: %{change_old}, after: %{change_new}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup2124, | |
]), | |
}); | |
var all392 = all_match({ | |
processors: [ | |
dup2125, | |
dup2126, | |
], | |
on_success: processor_chain([ | |
dup2127, | |
dup2128, | |
]), | |
}); | |
var msg848 = match({ | |
dissect: { | |
tokenizer: "Embryonic connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2129, | |
]), | |
}); | |
var msg849 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2130, | |
dup2131, | |
]), | |
}); | |
var msg850 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{daddr}/%{dport} (responder), remote %{saddr}/%{sport}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup2132, | |
]), | |
}); | |
var msg851 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{saddr}/%{sport} (initiator), remote %{daddr}/%{dport}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup2133, | |
]), | |
}); | |
var select162 = linear_select([ | |
msg850, | |
msg851, | |
]); | |
var all393 = all_match({ | |
processors: [ | |
dup207, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup2134, | |
]), | |
}); | |
var all394 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup2135, | |
dup2136, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2137, | |
]), | |
}); | |
var msg852 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2138, | |
]), | |
}); | |
var all395 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2139, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2140, | |
]), | |
}); | |
var all396 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2141, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2142, | |
]), | |
}); | |
var all397 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2143, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2144, | |
]), | |
}); | |
var select163 = linear_select([ | |
all395, | |
all396, | |
all397, | |
]); | |
var msg853 = match({ | |
dissect: { | |
tokenizer: "Moving connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} to non-proxy mode - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2145, | |
]), | |
}); | |
var msg854 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description} (function=%{fld1}, line=%{fld2}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2146, | |
]), | |
}); | |
var all398 = all_match({ | |
processors: [ | |
dup2147, | |
dup2148, | |
dup2149, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup2150, | |
]), | |
}); | |
var msg855 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2151, | |
]), | |
}); | |
var msg856 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2152, | |
]), | |
}); | |
var all399 = all_match({ | |
processors: [ | |
dup2153, | |
dup2154, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2155, | |
]), | |
}); | |
var all400 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2156, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2157, | |
]), | |
}); | |
var all401 = all_match({ | |
processors: [ | |
dup2158, | |
dup2159, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2160, | |
]), | |
}); | |
var msg857 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr} , %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2161, | |
]), | |
}); | |
var all402 = all_match({ | |
processors: [ | |
dup2162, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2163, | |
]), | |
}); | |
var select164 = linear_select([ | |
all400, | |
all401, | |
msg857, | |
all402, | |
]); | |
var all403 = all_match({ | |
processors: [ | |
dup31, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2164, | |
]), | |
}); | |
var msg858 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup2165, | |
]), | |
}); | |
var msg859 = match({ | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr}/%{sport} to %{daddr}/%{dport} (not authenticated)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
dup2166, | |
]), | |
}); | |
var msg860 = match({ | |
dissect: { | |
tokenizer: "%{fld1}(): Orphan IP %{hostip} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2167, | |
]), | |
}); | |
var msg861 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup2168, | |
]), | |
}); | |
var msg862 = match({ | |
dissect: { | |
tokenizer: "H225 message from %{saddr}/%{sport} to %{daddr}/%{dport} contains bad protocol discriminator %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup2169, | |
]), | |
}); | |
var all404 = all_match({ | |
processors: [ | |
dup2170, | |
dup2171, | |
dup2172, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2173, | |
]), | |
}); | |
var msg863 = match({ | |
dissect: { | |
tokenizer: "IPS requested to drop %{protocol} packets %{sinterface}:%{saddr} to %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2174, | |
]), | |
}); | |
var msg864 = match({ | |
dissect: { | |
tokenizer: "%{service} requested to drop %{protocol} packet from %{sinterface}:%{saddr}/%{sport} %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2175, | |
]), | |
}); | |
var select165 = linear_select([ | |
msg863, | |
msg864, | |
]); | |
var msg865 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with no split tunneling%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup2176, | |
]), | |
}); | |
var msg866 = match({ | |
dissect: { | |
tokenizer: "Auth from %{saddr} to %{daddr}/%{dport} failed (all servers failed) on interface %{sinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup2177, | |
]), | |
}); | |
var all405 = all_match({ | |
processors: [ | |
dup2178, | |
dup2179, | |
dup757, | |
dup2180, | |
dup2181, | |
dup2182, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2183, | |
]), | |
}); | |
var select166 = linear_select([ | |
msg866, | |
all405, | |
]); | |
var msg867 = match({ | |
dissect: { | |
tokenizer: "%{service}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all406 = all_match({ | |
processors: [ | |
dup2184, | |
dup2185, | |
msg867, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2186, | |
]), | |
}); | |
var msg868 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2187, | |
]), | |
}); | |
var msg869 = match({ | |
dissect: { | |
tokenizer: "UPDATE: ASA image checksum error copying '%{filename}' to '%{fld22}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup2188, | |
]), | |
}); | |
var msg870 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2189, | |
]), | |
}); | |
var msg871 = match({ | |
dissect: { | |
tokenizer: "Duplicate address %{hostip_v6}/%{macaddr} on %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2190, | |
]), | |
}); | |
var msg872 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup2191, | |
]), | |
}); | |
var msg873 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2192, | |
]), | |
}); | |
var msg874 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2193, | |
]), | |
}); | |
var msg875 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Starting IOS keepalive monitor: %{duration} sec.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2194, | |
]), | |
}); | |
var msg876 = match({ | |
dissect: { | |
tokenizer: "%{group}-%{level}-%{p_msgid}: %{fld}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2195, | |
dup2196, | |
]), | |
}); | |
var msg877 = match({ | |
dissect: { | |
tokenizer: "%{level}-%{p_msgid}: %{fld}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2195, | |
dup2197, | |
]), | |
}); | |
var select167 = linear_select([ | |
msg876, | |
msg877, | |
]); | |
var all407 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup2198, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup2199, | |
]), | |
}); | |
var msg878 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2200, | |
]), | |
}); | |
var msg879 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2201, | |
]), | |
}); | |
var msg880 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{protocol}, sequence number=%{fld1}) from %{saddr} (user=%{username}) to %{daddr} containing an illegal IP fragment of length %{dclass_counter1} with offset %{dclass_counter2}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2202, | |
]), | |
}); | |
var all408 = all_match({ | |
processors: [ | |
dup2203, | |
dup2204, | |
dup2205, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup2206, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2207, | |
]), | |
}); | |
var msg881 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2208, | |
]), | |
}); | |
var select168 = linear_select([ | |
all408, | |
msg881, | |
]); | |
var msg882 = match({ | |
dissect: { | |
tokenizer: "Certificate chain was successfully validated %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1397, | |
dup2209, | |
]), | |
}); | |
var all409 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup224, | |
dup2210, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2211, | |
]), | |
}); | |
var msg883 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e VLAN Mapping is enabled on VLAN \u003c\u003c%{instance}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2212, | |
]), | |
}); | |
var msg884 = match({ | |
dissect: { | |
tokenizer: "Invalid IP fragment, size = %{icmptype} exceeds maximum size = %{icmpcode}: %{space} src = %{saddr}, dest = %{daddr}, proto = %{protocol}, id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2213, | |
]), | |
}); | |
var msg885 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Perfect Forward Secrecy Policy installed%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup2214, | |
]), | |
}); | |
var msg886 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2215, | |
]), | |
}); | |
var msg887 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2216, | |
]), | |
}); | |
var msg888 = match({ | |
dissect: { | |
tokenizer: "IKEv2 Doesn't have a proposal specified%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2217, | |
]), | |
}); | |
var msg889 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2218, | |
]), | |
}); | |
var msg890 = match({ | |
dissect: { | |
tokenizer: "No ARP for host %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2219, | |
]), | |
}); | |
var msg891 = match({ | |
dissect: { | |
tokenizer: "Failed to locate egress interface for %{protocol} from %{sinterface}:%{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2220, | |
]), | |
}); | |
var select169 = linear_select([ | |
msg890, | |
msg891, | |
]); | |
var msg892 = match({ | |
dissect: { | |
tokenizer: "Cmd priv level changed: Var: %{fld1} Cmd: %{fld2} Priv level: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup2221, | |
]), | |
}); | |
var msg893 = match({ | |
dissect: { | |
tokenizer: "User transitioning priv level%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup2222, | |
]), | |
}); | |
var select170 = linear_select([ | |
msg892, | |
msg893, | |
]); | |
var msg894 = match({ | |
dissect: { | |
tokenizer: "%{info}/%{result}: %{event_description}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all410 = all_match({ | |
processors: [ | |
dup2223, | |
dup2224, | |
dup2225, | |
dup2226, | |
msg894, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2227, | |
]), | |
}); | |
var all411 = all_match({ | |
processors: [ | |
dup2228, | |
dup1670, | |
], | |
on_success: processor_chain([ | |
dup2229, | |
dup2230, | |
]), | |
}); | |
var all412 = all_match({ | |
processors: [ | |
dup1807, | |
dup4, | |
dup2231, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2232, | |
]), | |
}); | |
var msg895 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Link status 'Down' on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup2233, | |
]), | |
}); | |
var all413 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup632, | |
dup453, | |
dup2234, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2235, | |
]), | |
}); | |
var msg896 = match({ | |
dissect: { | |
tokenizer: "Invalid transport field for protocol=%{protocol}, from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup2236, | |
]), | |
}); | |
var msg897 = match({ | |
dissect: { | |
tokenizer: "Deleted peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2237, | |
]), | |
}); | |
var all414 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup2238, | |
dup2239, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup2240, | |
]), | |
}); | |
var all415 = all_match({ | |
processors: [ | |
dup173, | |
dup2241, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2242, | |
]), | |
}); | |
var all416 = all_match({ | |
processors: [ | |
dup2243, | |
dup4, | |
dup2244, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2245, | |
]), | |
}); | |
var msg898 = match({ | |
dissect: { | |
tokenizer: "%{daddr} %{action} %{saddr}:%{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup2246, | |
]), | |
}); | |
var select171 = linear_select([ | |
all415, | |
all416, | |
msg898, | |
]); | |
var msg899 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2247, | |
]), | |
}); | |
var msg900 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2248, | |
]), | |
}); | |
var msg901 = match({ | |
dissect: { | |
tokenizer: "State machine function trace: state=%{category}, event=%{obj_type}, func=%{application}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2249, | |
]), | |
}); | |
var all417 = all_match({ | |
processors: [ | |
dup854, | |
dup855, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup2250, | |
]), | |
}); | |
var msg902 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2251, | |
]), | |
}); | |
var msg903 = match({ | |
dissect: { | |
tokenizer: "LU make UDP connection for %{saddr}:%{sport} %{daddr}:%{dport} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup2252, | |
]), | |
}); | |
var all418 = all_match({ | |
processors: [ | |
dup2253, | |
dup2254, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2255, | |
]), | |
}); | |
var msg904 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2256, | |
]), | |
}); | |
var msg905 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2257, | |
]), | |
}); | |
var msg906 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2258, | |
]), | |
}); | |
var msg907 = match({ | |
dissect: { | |
tokenizer: "CTS SGT-MAP: Binding %{saddr}/%{sport}-\u003e%{fld1}:%{group} from %{fld2} added to binding manager.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2259, | |
]), | |
}); | |
var msg908 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup2260, | |
]), | |
}); | |
var msg909 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2261, | |
]), | |
}); | |
var msg910 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action} for peer %{fld1}. %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2262, | |
]), | |
}); | |
var msg911 = match({ | |
dissect: { | |
tokenizer: "Unable to allocate new %{protocol} connections (%{saddr}/%{sport}-%{daddr}/%{dport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup2263, | |
]), | |
}); | |
var all419 = all_match({ | |
processors: [ | |
dup2264, | |
dup4, | |
dup2265, | |
], | |
on_success: processor_chain([ | |
dup1838, | |
dup2266, | |
]), | |
}); | |
var msg912 = match({ | |
dissect: { | |
tokenizer: "Teardown conduit from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} IP version %{fld1} protocol %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup2267, | |
]), | |
}); | |
var all420 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup2268, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2269, | |
]), | |
}); | |
var msg913 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1} secondary channel for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2270, | |
]), | |
}); | |
var msg914 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1} secondary channel for %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2271, | |
]), | |
}); | |
var select172 = linear_select([ | |
msg913, | |
msg914, | |
]); | |
var msg915 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e VLAN Mapping to VLAN \u003c\u003c%{instance}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2272, | |
]), | |
}); | |
var msg916 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e VLAN Mapping to VLAN \u003c\u003c%{instance}\u003e failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2273, | |
]), | |
}); | |
var msg917 = match({ | |
dissect: { | |
tokenizer: "User at %{saddr} exceeded auth proxy connection limit (max %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2274, | |
dup2275, | |
]), | |
}); | |
var msg918 = match({ | |
dissect: { | |
tokenizer: "Connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2276, | |
]), | |
}); | |
var msg919 = match({ | |
dissect: { | |
tokenizer: "FTP %{action} command denied, terminating connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2277, | |
]), | |
}); | |
var msg920 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2278, | |
]), | |
}); | |
var msg921 = match({ | |
dissect: { | |
tokenizer: "%{hostip} Erase configuration", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup2279, | |
]), | |
}); | |
var msg922 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup2280, | |
]), | |
}); | |
var msg923 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2281, | |
]), | |
}); | |
var msg924 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Deobfuscation signature detected - %{listnum} HTTP deobfuscation detected IPS evasion technique from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2282, | |
]), | |
}); | |
var all421 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup2283, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2284, | |
]), | |
}); | |
var msg925 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1723, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg926 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1532, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg927 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup935, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg928 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup344, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg929 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup840, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg930 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1760, | |
dup2290, | |
dup2291, | |
dup2292, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg931 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} (reason code = %{resultcode}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup1551, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg932 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1890, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2293, | |
]), | |
}); | |
var msg933 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1891, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.disposition", | |
value: constant("OK"), | |
}), | |
]), | |
}); | |
var msg934 = match({ | |
dissect: { | |
tokenizer: "Call-Home Module started%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1399, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home Module started"), | |
}), | |
]), | |
}); | |
var all422 = all_match({ | |
processors: [ | |
dup1521, | |
dup1522, | |
dup1523, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1524, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home is processing event"), | |
}), | |
]), | |
}); | |
var msg935 = match({ | |
dissect: { | |
tokenizer: "Call-Home %{info} message to %{web_host} delivered", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1564, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home message delivered"), | |
}), | |
]), | |
}); | |
var msg936 = match({ | |
dissect: { | |
tokenizer: "Call-Home client %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup647, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home client activity"), | |
}), | |
]), | |
}); | |
var msg937 = match({ | |
dissect: { | |
tokenizer: "To ensure Smart Call Home can properly communicate with Cisco, use the command \"%{action}\" to configure at least one DNS server.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2087, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all423 = all_match({ | |
processors: [ | |
dup2147, | |
dup2148, | |
dup2149, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup2150, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User chose to disable or postpone call-home anonymous reporting"), | |
}), | |
]), | |
}); | |
var msg938 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup60, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2293, | |
]), | |
}); | |
var msg939 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup680, | |
dup1542, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2294, | |
]), | |
}); | |
var msg940 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup680, | |
dup681, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg941 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1069, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg942 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup408, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg943 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}(cause: %{result}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup908, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg944 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} - %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup909, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg945 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} (cause: %{result}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup999, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg946 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description} - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1000, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg947 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup133, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg948 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1240, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg949 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1706, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg950 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup2023, | |
dup2296, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg951 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Monitoring on interface %{interface} waiting", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup551, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2297, | |
]), | |
}); | |
var msg952 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Monitoring on interface %{interface} normal", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup832, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2297, | |
]), | |
}); | |
var msg953 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Lost Failover communications with mate on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup1905, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Lost Failover communications with mate on interface"), | |
}), | |
]), | |
}); | |
var msg954 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Link status 'Up' on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1879, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Link status Up"), | |
}), | |
]), | |
}); | |
var msg955 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Link status 'Down' on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup2233, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Link status down"), | |
}), | |
]), | |
}); | |
var all424 = all_match({ | |
processors: [ | |
dup1935, | |
dup895, | |
dup1936, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1937, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2298, | |
]), | |
}); | |
var msg956 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Testing on interface %{interface} %{disposition}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1816, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2298, | |
]), | |
}); | |
var msg957 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1149, | |
dup2286, | |
dup2287, | |
dup2294, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg958 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup669, | |
dup2286, | |
dup2287, | |
dup2294, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg959 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup211, | |
dup2290, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all425 = all_match({ | |
processors: [ | |
dup2095, | |
dup2096, | |
dup2097, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup2098, | |
dup2099, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Standby unit failed to sync due to a locked Config"), | |
}), | |
dup2294, | |
]), | |
}); | |
var msg960 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1286, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg961 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup1189, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg962 = match({ | |
dissect: { | |
tokenizer: "(%{context})%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup297, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg963 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup298, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg964 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup862, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg965 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description} %{fld1}, seq = %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1170, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg966 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1171, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg967 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1439, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg968 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup48, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg969 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup1434, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg970 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup269, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg971 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1061, | |
dup1062, | |
dup2286, | |
dup2287, | |
dup2294, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg972 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1933, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg973 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup861, | |
dup2088, | |
dup2286, | |
dup2287, | |
dup2294, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg974 = match({ | |
dissect: { | |
tokenizer: "(%{context}) Mate operational mode %{fld1} is not compatible with my mode %{fld2}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup545, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate operational mode is not compatible"), | |
}), | |
]), | |
}); | |
var all426 = all_match({ | |
processors: [ | |
dup459, | |
dup460, | |
dup461, | |
dup462, | |
dup463, | |
], | |
on_success: processor_chain([ | |
dup464, | |
dup465, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate license is not compatible"), | |
}), | |
]), | |
}); | |
var msg975 = match({ | |
dissect: { | |
tokenizer: "(%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1356, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg976 = match({ | |
dissect: { | |
tokenizer: "%{fld1} card in slot %{fld2} which is different from my %{fld3}%{fld3}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all427 = all_match({ | |
processors: [ | |
dup123, | |
dup124, | |
msg976, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup126, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate card is different"), | |
}), | |
]), | |
}); | |
var msg977 = match({ | |
dissect: { | |
tokenizer: "%{direction} %{protocol} connection denied from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1387, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg978 = match({ | |
dissect: { | |
tokenizer: "%{direction} %{protocol} connection denied from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1388, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var all428 = all_match({ | |
processors: [ | |
dup1133, | |
dup1134, | |
dup1135, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1136, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var all429 = all_match({ | |
processors: [ | |
dup1133, | |
dup1134, | |
dup1137, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1138, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg979 = match({ | |
dissect: { | |
tokenizer: "Connection denied src %{saddr} dest %{daddr} due to JAVA Applet on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1411, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection denied due to JAVA Applet on interface"), | |
}), | |
]), | |
}); | |
var msg980 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1096, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg981 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1097, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg982 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} from %{saddr}/%{sport} to %{daddr}/%{dport} due to DNS %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1714, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg983 = match({ | |
dissect: { | |
tokenizer: "Translation for %{hostip} denied by %{direction} (source is denied) %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1389, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2305, | |
]), | |
}); | |
var msg984 = match({ | |
dissect: { | |
tokenizer: "Translation for %{hostip} denied by %{direction} %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1390, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2305, | |
]), | |
}); | |
var msg985 = match({ | |
dissect: { | |
tokenizer: "Translation for %{saddr} to %{daddr}/%{dport} denied by %{direction} (destination is denied) %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1324, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2305, | |
]), | |
}); | |
var msg986 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1466, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg987 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1467, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
dup2306, | |
]), | |
}); | |
var msg988 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1468, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg989 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1469, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg990 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1012, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg991 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1013, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg992 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate) %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1014, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg993 = match({ | |
dissect: { | |
tokenizer: "Deny %{direction} (No xlate)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1015, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all430 = all_match({ | |
processors: [ | |
dup1710, | |
dup1711, | |
dup1712, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1713, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP connection denied"), | |
}), | |
]), | |
}); | |
var msg994 = match({ | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr} to PAT address %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2008, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2307, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg995 = match({ | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr} to address %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2009, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2307, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all431 = all_match({ | |
processors: [ | |
dup1451, | |
dup1452, | |
dup1453, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1454, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2308, | |
dup2304, | |
]), | |
}); | |
var msg996 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (no connection) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup827, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg997 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (no connection) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup828, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg998 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} spoof from (%{saddr}) to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup259, | |
dup2300, | |
dup2309, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg999 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} spoof from (%{saddr}) to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup260, | |
dup2300, | |
dup2309, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg1000 = match({ | |
dissect: { | |
tokenizer: "Deny IP due to Land Attack from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2002, | |
dup2300, | |
dup2309, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg1001 = match({ | |
dissect: { | |
tokenizer: "Packet contains ActiveX content and has been modified src %{saddr} dest to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2003, | |
dup2004, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg1002 = match({ | |
dissect: { | |
tokenizer: "%{protocol} packet type %{fld1} denied by %{direction} list %{fld2} src %{saddr} dest %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup904, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2310, | |
]), | |
}); | |
var msg1003 = match({ | |
dissect: { | |
tokenizer: "IP packet from %{saddr} to %{daddr}, protocol %{protocol} received from interface \"%{interface}\" %{space} deny by access-group \"%{fld1}\"", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1156, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by acces-group"), | |
}), | |
]), | |
}); | |
var msg1004 = match({ | |
dissect: { | |
tokenizer: "Deny IP teardrop fragment (size = %{fld1}, offset = %{fld2}) from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup1391, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied IP teardrop fragment"), | |
}), | |
]), | |
}); | |
var msg1005 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} reverse path check from %{saddr} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1428, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var msg1006 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} connection spoof from %{saddr} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1811, | |
dup2300, | |
dup2309, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
]), | |
}); | |
var all432 = all_match({ | |
processors: [ | |
dup1029, | |
dup1030, | |
dup1031, | |
dup1032, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1033, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2311, | |
]), | |
}); | |
var msg1007 = match({ | |
dissect: { | |
tokenizer: "%{rule_group}\"\"\"", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all433 = all_match({ | |
processors: [ | |
dup1034, | |
dup1035, | |
dup1036, | |
dup1037, | |
msg1007, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1038, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2311, | |
]), | |
}); | |
var msg1008 = match({ | |
dissect: { | |
tokenizer: " \"%{rule_group}\" %{fld1} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1009 = match({ | |
dissect: { | |
tokenizer: "\"%{rule_group}\"%{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1010 = match({ | |
dissect: { | |
tokenizer: "%{rule_group} %{p3}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select173 = linear_select([ | |
msg1008, | |
msg1009, | |
msg1010, | |
]); | |
var all434 = all_match({ | |
processors: [ | |
dup1039, | |
dup1040, | |
dup1041, | |
select173, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1042, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2311, | |
]), | |
}); | |
var all435 = all_match({ | |
processors: [ | |
dup1043, | |
dup1044, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1045, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2311, | |
]), | |
}); | |
var msg1011 = match({ | |
dissect: { | |
tokenizer: "%{event_description}: %{interface} %{protocol} src %{saddr}/%{sport} dest %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1128, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all436 = all_match({ | |
processors: [ | |
dup1268, | |
dup1044, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1269, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2311, | |
dup2303, | |
]), | |
}); | |
var all437 = all_match({ | |
processors: [ | |
dup2052, | |
dup802, | |
dup2053, | |
dup2054, | |
dup2055, | |
], | |
on_success: processor_chain([ | |
dup2056, | |
dup2057, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropping invalid echo reply"), | |
}), | |
]), | |
}); | |
var msg1012 = match({ | |
dissect: { | |
tokenizer: "Deny %{protocol} (Connection marked for Deletion) from %{saddr}/%{sport} to %{daddr}/%{dport} flags %{network_service} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2058, | |
dup2300, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2304, | |
]), | |
}); | |
var msg1013 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} denied %{protocol} %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1} %{fld6}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup720, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2315, | |
dup2310, | |
]), | |
}); | |
var all438 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup723, | |
dup724, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup726, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2315, | |
dup2317, | |
]), | |
}); | |
var all439 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup727, | |
dup728, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup729, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2315, | |
dup2317, | |
]), | |
}); | |
var all440 = all_match({ | |
processors: [ | |
dup721, | |
dup722, | |
dup730, | |
dup728, | |
dup725, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup731, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2315, | |
dup2317, | |
]), | |
}); | |
var msg1014 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2189, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all441 = all_match({ | |
processors: [ | |
dup278, | |
dup279, | |
dup280, | |
dup281, | |
dup282, | |
dup283, | |
dup2318, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup286, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2319, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("deny"), | |
}), | |
]), | |
}); | |
var all442 = all_match({ | |
processors: [ | |
dup287, | |
dup279, | |
dup280, | |
dup281, | |
dup282, | |
dup283, | |
dup2318, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup289, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2319, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permit"), | |
}), | |
]), | |
}); | |
var msg1015 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} url %{url} hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup290, | |
dup2286, | |
dup2287, | |
dup2319, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1016 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} %{action} %{protocol} for user '%{username}' %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1490, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2319, | |
]), | |
}); | |
var msg1017 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} %{protocol} %{sinterface}/%{saddr}(%{sport}) -\u003e %{dinterface}/%{daddr}(%{dport}) hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1491, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2319, | |
]), | |
}); | |
var msg1018 = match({ | |
dissect: { | |
tokenizer: "%{saddr} attempted to ping %{daddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1497, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
]), | |
}); | |
var msg1019 = match({ | |
dissect: { | |
tokenizer: "RIP auth failed from %{saddr}: version=%{fld1}, type=%{fld2}, mode=%{fld3}, sequence=%{fld4} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1498, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RIP auth failure"), | |
}), | |
]), | |
}); | |
var msg1020 = match({ | |
dissect: { | |
tokenizer: "RIP pkt failed from %{saddr}: version=%{fld1} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup440, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RIP packet failure"), | |
}), | |
]), | |
}); | |
var all443 = all_match({ | |
processors: [ | |
dup1113, | |
dup1114, | |
dup1115, | |
], | |
on_success: processor_chain([ | |
dup1116, | |
dup1117, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1021 = match({ | |
dissect: { | |
tokenizer: "SMTP replaced %{fld1}: out %{saddr} in %{daddr} data: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup782, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1022 = match({ | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service} command", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup200, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Bad Checksum"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all444 = all_match({ | |
processors: [ | |
dup201, | |
dup202, | |
dup203, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup205, | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("EmailAddress"), | |
}), | |
dup2300, | |
dup2309, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection terminated"), | |
}), | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Malicious pattern detected in mail address"), | |
}), | |
]), | |
}); | |
var all445 = all_match({ | |
processors: [ | |
dup1913, | |
dup1914, | |
dup1915, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup1919, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup1920, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1023 = match({ | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service} response", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup1921, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all446 = all_match({ | |
processors: [ | |
dup1922, | |
dup1914, | |
dup1915, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup1919, | |
], | |
on_success: processor_chain([ | |
dup204, | |
dup1923, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1024 = match({ | |
dissect: { | |
tokenizer: "Out of SMTP connections! %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1058, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Out of SMTP connections"), | |
}), | |
]), | |
}); | |
var msg1025 = match({ | |
dissect: { | |
tokenizer: "%{network_service}: Received ESMTP Request from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup1059, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESMTP request"), | |
}), | |
]), | |
}); | |
var msg1026 = match({ | |
dissect: { | |
tokenizer: "Detected %{network_service} size violation from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup199, | |
dup206, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Detected ESMTP size violation"), | |
}), | |
]), | |
}); | |
var all447 = all_match({ | |
processors: [ | |
dup108, | |
dup4, | |
dup109, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup111, | |
dup2321, | |
dup2296, | |
dup2320, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Start_Session"), | |
}), | |
]), | |
}); | |
var all448 = all_match({ | |
processors: [ | |
dup332, | |
dup333, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup335, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2322, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("server failed"), | |
}), | |
]), | |
}); | |
var msg1027 = match({ | |
dissect: { | |
tokenizer: "Auth from %{saddr} to %{daddr}/%{dport} failed (all servers failed) on interface %{sinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup2177, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2322, | |
dup2323, | |
]), | |
}); | |
var all449 = all_match({ | |
processors: [ | |
dup2178, | |
dup2179, | |
dup757, | |
dup2180, | |
dup2181, | |
dup2182, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2183, | |
dup2320, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2322, | |
dup2323, | |
]), | |
}); | |
var all450 = all_match({ | |
processors: [ | |
dup1862, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1863, | |
dup2321, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Successful Authentication"), | |
}), | |
]), | |
}); | |
var all451 = all_match({ | |
processors: [ | |
dup929, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup931, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("authentication failure"), | |
}), | |
]), | |
}); | |
var all452 = all_match({ | |
processors: [ | |
dup1906, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1907, | |
dup2321, | |
dup2324, | |
dup2325, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Successful Authorization"), | |
}), | |
]), | |
}); | |
var all453 = all_match({ | |
processors: [ | |
dup1790, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup1791, | |
dup1792, | |
dup2321, | |
dup2300, | |
dup2325, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authorization failure"), | |
}), | |
]), | |
}); | |
var msg1028 = match({ | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr}/%{sport} to %{daddr}/%{dport} (not authenticated)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
dup2166, | |
dup2321, | |
dup2300, | |
dup2325, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2326, | |
]), | |
}); | |
var msg1029 = match({ | |
dissect: { | |
tokenizer: "Auth from %{saddr}/%{sport} to %{daddr}/%{dport} failed (%{result}) on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup547, | |
dup2320, | |
dup2300, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2326, | |
]), | |
}); | |
var all454 = all_match({ | |
processors: [ | |
dup1190, | |
dup4, | |
dup1191, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1192, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authen Session Start"), | |
}), | |
]), | |
}); | |
var all455 = all_match({ | |
processors: [ | |
dup1645, | |
dup4, | |
dup1646, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1647, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authen Session End"), | |
}), | |
]), | |
}); | |
var msg1030 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1582, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1031 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup977, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all456 = all_match({ | |
processors: [ | |
dup1052, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1053, | |
dup2321, | |
dup2300, | |
dup2320, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2326, | |
]), | |
}); | |
var all457 = all_match({ | |
processors: [ | |
dup1054, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1055, | |
dup2321, | |
dup2300, | |
dup2320, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2326, | |
]), | |
}); | |
var all458 = all_match({ | |
processors: [ | |
dup1056, | |
dup4, | |
dup930, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1057, | |
dup2321, | |
dup2300, | |
dup2320, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2326, | |
]), | |
}); | |
var all459 = all_match({ | |
processors: [ | |
dup1380, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1381, | |
dup2325, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access-list not found"), | |
}), | |
]), | |
}); | |
var all460 = all_match({ | |
processors: [ | |
dup1382, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1383, | |
dup2325, | |
dup2299, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("authorization list not found for user"), | |
}), | |
]), | |
}); | |
var msg1032 = match({ | |
dissect: { | |
tokenizer: "User at %{saddr} exceeded auth proxy connection limit (max %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2274, | |
dup2275, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all461 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup1607, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup1608, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("ACL is empty"), | |
}), | |
]), | |
}); | |
var all462 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup2198, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup2199, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("ACL has parsing error"), | |
}), | |
]), | |
}); | |
var all463 = all_match({ | |
processors: [ | |
dup1605, | |
dup1606, | |
dup2238, | |
dup2239, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup2240, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Downloaded ACL has config error"), | |
}), | |
]), | |
}); | |
var msg1033 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup184, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1034 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup118, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1035 = match({ | |
dissect: { | |
tokenizer: "User from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface} using %{protocol} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup355, | |
dup2321, | |
dup2320, | |
dup2327, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2328, | |
]), | |
}); | |
var msg1036 = match({ | |
dissect: { | |
tokenizer: "User from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup356, | |
dup2321, | |
dup2320, | |
dup2327, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2328, | |
]), | |
}); | |
var msg1037 = match({ | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr}/%{sport} to %{daddr}/%{dport} (%{result}) on interface %{interface} using %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
dup257, | |
dup2325, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2328, | |
]), | |
}); | |
var all464 = all_match({ | |
processors: [ | |
dup1056, | |
dup4, | |
dup2010, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup2011, | |
dup2325, | |
dup2321, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2328, | |
]), | |
}); | |
var msg1038 = match({ | |
dissect: { | |
tokenizer: "[%{protocol}] %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup1748, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all465 = all_match({ | |
processors: [ | |
dup2026, | |
dup2027, | |
dup2028, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2029, | |
dup2321, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all466 = all_match({ | |
processors: [ | |
dup470, | |
dup471, | |
dup472, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup474, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1039 = match({ | |
dissect: { | |
tokenizer: "Parsing downloaded ACL: ERROR: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup475, | |
dup476, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all467 = all_match({ | |
processors: [ | |
dup628, | |
dup4, | |
dup629, | |
], | |
on_success: processor_chain([ | |
dup473, | |
dup630, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all468 = all_match({ | |
processors: [ | |
dup270, | |
dup4, | |
dup271, | |
dup272, | |
dup273, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup274, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2329, | |
dup2330, | |
]), | |
}); | |
var all469 = all_match({ | |
processors: [ | |
dup270, | |
dup4, | |
dup275, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup276, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2329, | |
dup2330, | |
]), | |
}); | |
var msg1040 = match({ | |
dissect: { | |
tokenizer: "uauth_pickapp: Uauth Unproxy Failed due to the reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1086, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Uauth Unproxy Failed"), | |
}), | |
]), | |
}); | |
var msg1041 = match({ | |
dissect: { | |
tokenizer: "No route to %{daddr} from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup44, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1042 = match({ | |
dissect: { | |
tokenizer: "No ARP for host %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2219, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No ARP for host"), | |
}), | |
]), | |
}); | |
var msg1043 = match({ | |
dissect: { | |
tokenizer: "Failed to locate egress interface for %{protocol} from %{sinterface}:%{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2220, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Failed to locate egress interface"), | |
}), | |
]), | |
}); | |
var all470 = all_match({ | |
processors: [ | |
dup1101, | |
dup1102, | |
dup1103, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1104, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: dup2331, | |
}), | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup2331, | |
}), | |
]), | |
}); | |
var msg1044 = match({ | |
dissect: { | |
tokenizer: "No interface is configured (with %{interface}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1105, | |
dup2285, | |
dup2286, | |
dup2288, | |
dup2289, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No interface configured"), | |
}), | |
]), | |
}); | |
var msg1045 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1106, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1046 = match({ | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip} writing to %{device}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1819, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Begin configuration writing to device"), | |
}), | |
]), | |
}); | |
var msg1047 = match({ | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip} reading from %{device}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup893, | |
dup2290, | |
dup2332, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Begin configuration reading from device"), | |
}), | |
]), | |
}); | |
var msg1048 = match({ | |
dissect: { | |
tokenizer: "%{hostip} Erase configuration", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup2279, | |
dup2290, | |
dup2333, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Erase configuration"), | |
}), | |
]), | |
}); | |
var all471 = all_match({ | |
processors: [ | |
dup854, | |
dup855, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup856, | |
dup2290, | |
dup2334, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all472 = all_match({ | |
processors: [ | |
dup854, | |
dup855, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup2250, | |
dup2290, | |
dup2334, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("end configuration: OK"), | |
}), | |
]), | |
}); | |
var all473 = all_match({ | |
processors: [ | |
dup1125, | |
dup4, | |
dup1126, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1127, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all474 = all_match({ | |
processors: [ | |
dup621, | |
dup622, | |
dup623, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup624, | |
dup2290, | |
dup2332, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Begin configuration - reading from device"), | |
}), | |
]), | |
}); | |
var all475 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup467, | |
dup468, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup469, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2336, | |
]), | |
}); | |
var all476 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup884, | |
], | |
on_success: processor_chain([ | |
dup848, | |
dup885, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2336, | |
]), | |
}); | |
var all477 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup847, | |
], | |
on_success: processor_chain([ | |
dup848, | |
dup849, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User executed cmd"), | |
}), | |
]), | |
}); | |
var msg1049 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1683, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1050 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup2260, | |
dup2290, | |
dup2333, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all478 = all_match({ | |
processors: [ | |
dup886, | |
dup887, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup888, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session limit reached"), | |
}), | |
]), | |
}); | |
var msg1051 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup889, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all479 = all_match({ | |
processors: [ | |
dup291, | |
dup4, | |
dup292, | |
dup293, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup294, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA group policy set for user"), | |
}), | |
]), | |
}); | |
var all480 = all_match({ | |
processors: [ | |
dup70, | |
dup159, | |
dup160, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup162, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA user accounting/authentication successful"), | |
}), | |
]), | |
}); | |
var all481 = all_match({ | |
processors: [ | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
dup74, | |
dup75, | |
dup76, | |
dup77, | |
dup78, | |
dup79, | |
dup80, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup82, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2337, | |
]), | |
}); | |
var all482 = all_match({ | |
processors: [ | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
dup74, | |
dup75, | |
dup76, | |
dup77, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup83, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2337, | |
]), | |
}); | |
var all483 = all_match({ | |
processors: [ | |
dup466, | |
dup4, | |
dup1989, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1990, | |
dup2321, | |
set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Lockout"), | |
}), | |
dup2320, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User locked out"), | |
}), | |
]), | |
}); | |
var all484 = all_match({ | |
processors: [ | |
dup84, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup86, | |
dup2321, | |
dup2325, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all485 = all_match({ | |
processors: [ | |
dup1775, | |
dup1776, | |
dup452, | |
dup1777, | |
dup74, | |
dup1778, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1779, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2338, | |
]), | |
}); | |
var all486 = all_match({ | |
processors: [ | |
dup1775, | |
dup610, | |
dup1780, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1781, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2338, | |
]), | |
}); | |
var all487 = all_match({ | |
processors: [ | |
dup1435, | |
dup4, | |
dup1436, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup1437, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA challenge received for user"), | |
}), | |
]), | |
}); | |
var all488 = all_match({ | |
processors: [ | |
dup609, | |
dup610, | |
dup611, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup110, | |
dup612, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA retrieved user specific group policy"), | |
}), | |
]), | |
}); | |
var all489 = all_match({ | |
processors: [ | |
dup1290, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1291, | |
dup2321, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA user authentication successful"), | |
}), | |
]), | |
}); | |
var all490 = all_match({ | |
processors: [ | |
dup1205, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1206, | |
dup2321, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA unable to complete the request"), | |
}), | |
]), | |
}); | |
var all491 = all_match({ | |
processors: [ | |
dup1998, | |
dup71, | |
dup1999, | |
dup161, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup2000, | |
dup2321, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("server not accessible"), | |
}), | |
]), | |
}); | |
var all492 = all_match({ | |
processors: [ | |
dup796, | |
dup797, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup798, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all493 = all_match({ | |
processors: [ | |
dup575, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup576, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all494 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2139, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2140, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2339, | |
dup2288, | |
dup2289, | |
call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%A%N%T%O"), | |
field("day"), | |
field("hour"), | |
field("min"), | |
field("second"), | |
], | |
}), | |
]), | |
}); | |
var all495 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2141, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2142, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2339, | |
dup2288, | |
dup2289, | |
call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%N%U%O"), | |
field("hour"), | |
field("min"), | |
field("second"), | |
], | |
}), | |
]), | |
}); | |
var all496 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2143, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2144, | |
dup2286, | |
dup2287, | |
dup2339, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1052 = match({ | |
dissect: { | |
tokenizer: "Kerberos error : Clock skew with server %{hostip} greater than 300 seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup599, | |
dup2320, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Kerberos error"), | |
}), | |
]), | |
}); | |
var msg1053 = match({ | |
dissect: { | |
tokenizer: "AAA Marking %{protocol} server %{hostip} in aaa-server group %{fld1} as FAILED", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup429, | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Service"), | |
}), | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA marking Server as FAILED"), | |
}), | |
]), | |
}); | |
var msg1054 = match({ | |
dissect: { | |
tokenizer: "AAA Marking %{protocol} server %{hostip} in aaa-server group %{fld1} as ACTIVE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1100, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA marking Server as ACTIVE"), | |
}), | |
]), | |
}); | |
var msg1055 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect parent session started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup36, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect parent session started"), | |
}), | |
]), | |
}); | |
var all497 = all_match({ | |
processors: [ | |
dup769, | |
dup770, | |
dup771, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup772, | |
dup2285, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Reload command executed"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1056 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup773, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1057 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1789, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1058 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup112, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1059 = match({ | |
dissect: { | |
tokenizer: "PIX clear config %{fld1} from %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup857, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("clear config"), | |
}), | |
]), | |
}); | |
var msg1060 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup2165, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all498 = all_match({ | |
processors: [ | |
dup562, | |
dup563, | |
dup564, | |
], | |
on_success: processor_chain([ | |
dup25, | |
dup565, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Orderly reload started"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all499 = all_match({ | |
processors: [ | |
dup2264, | |
dup4, | |
dup2265, | |
], | |
on_success: processor_chain([ | |
dup1838, | |
dup2266, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload scheduled"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all500 = all_match({ | |
processors: [ | |
dup1836, | |
dup4, | |
dup1837, | |
], | |
on_success: processor_chain([ | |
dup1838, | |
dup1839, | |
dup2321, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Scheduled reload"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1061 = match({ | |
dissect: { | |
tokenizer: "Reloaded at %{event_time_string} by failover parser thread. Reload reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup21, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload operation by failover parser thread"), | |
}), | |
]), | |
}); | |
var all501 = all_match({ | |
processors: [ | |
dup22, | |
dup4, | |
dup23, | |
dup24, | |
], | |
on_success: processor_chain([ | |
dup25, | |
dup26, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload operation"), | |
}), | |
]), | |
}); | |
var msg1062 = match({ | |
dissect: { | |
tokenizer: "IP detected an attached application using port %{network_port} while removing context", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup641, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP detected an attached application using port"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1063 = match({ | |
dissect: { | |
tokenizer: "%{protocol} detected an attached application using local port %{sport} and destination port %{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1287, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1064 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup600, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2308, | |
]), | |
}); | |
var msg1065 = match({ | |
dissect: { | |
tokenizer: "Out of connections! %{fld1}/%{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup248, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all502 = all_match({ | |
processors: [ | |
dup380, | |
dup381, | |
dup382, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup383, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all503 = all_match({ | |
processors: [ | |
dup384, | |
dup385, | |
dup386, | |
dup387, | |
dup388, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup389, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1066 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit exceeded %{sinterface}/%{dinterface} for %{saddr}/%{sport} to (%{hostip}) %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1049, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2341, | |
]), | |
}); | |
var all504 = all_match({ | |
processors: [ | |
dup992, | |
dup381, | |
dup993, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup994, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1067 = match({ | |
dissect: { | |
tokenizer: "Too many embryonic connections on STRING %{hostip} %{fld1}/%{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup995, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1068 = match({ | |
dissect: { | |
tokenizer: "%{protocol} data connection failed for %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1009, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("data connection failed"), | |
}), | |
]), | |
}); | |
var msg1069 = match({ | |
dissect: { | |
tokenizer: "RCMD backconnection failed for %{hostip}/%{network_port}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup367, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RCMD back connection failed"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1070 = match({ | |
dissect: { | |
tokenizer: "Unable to allocate new %{protocol} connections (%{saddr}/%{sport}-%{daddr}/%{dport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup2263, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate new connections"), | |
}), | |
]), | |
}); | |
var msg1071 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1764, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("New connections disallowed"), | |
}), | |
]), | |
}); | |
var msg1072 = match({ | |
dissect: { | |
tokenizer: "TCP connection limit of %{dclass_counter1} for host %{hostip} on %{interface} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2046, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("Number of connections"), | |
}), | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1073 = match({ | |
dissect: { | |
tokenizer: "Embryonic connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2129, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2342, | |
]), | |
}); | |
var msg1074 = match({ | |
dissect: { | |
tokenizer: "Per-client connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2024, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2342, | |
]), | |
}); | |
var msg1075 = match({ | |
dissect: { | |
tokenizer: "Connection limit exceeded %{fld1}/%{fld2} for %{direction} packet from %{saddr}/%{sport} to %{daddr}/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2276, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1076 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2138, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1077 = match({ | |
dissect: { | |
tokenizer: "Unable to find translation for SRC=%{saddr} DEST=%{daddr} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1046, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1078 = match({ | |
dissect: { | |
tokenizer: "Could not build translation for %{saddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1445, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1079 = match({ | |
dissect: { | |
tokenizer: "Could not build portmap translation for %{saddr}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1285, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1080 = match({ | |
dissect: { | |
tokenizer: "Non-embryonic in embryonic list %{saddr}/%{sport} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1849, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1081 = match({ | |
dissect: { | |
tokenizer: "%{info} Error: No Key SPI %{fld1} SRC %{saddr} DEST %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup676, | |
dup2343, | |
dup2344, | |
dup2299, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No Key SPI"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1082 = match({ | |
dissect: { | |
tokenizer: "(FUNCTION:%{fld1}) pix clear %{fld2} return %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1908, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1083 = match({ | |
dissect: { | |
tokenizer: "IPFRAG: Unable to allocate frag record for %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2036, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate frag record"), | |
}), | |
]), | |
}); | |
var msg1084 = match({ | |
dissect: { | |
tokenizer: "IPFRAG: First Frag have not been seen %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup1440, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("First Frag have not been seen"), | |
}), | |
]), | |
}); | |
var msg1085 = match({ | |
dissect: { | |
tokenizer: "Fragment database limit of %{fld1} exceeded: %{space} src = %{saddr}, %{space} dest = %{daddr}, proto = %{protocol}, id = %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1680, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Fragment database limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1086 = match({ | |
dissect: { | |
tokenizer: "Invalid IP fragment, size = %{icmptype} exceeds maximum size = %{icmpcode}: %{space} src = %{saddr}, dest = %{daddr}, proto = %{protocol}, id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2213, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid IP fragment"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("size exceeded"), | |
}), | |
]), | |
}); | |
var msg1087 = match({ | |
dissect: { | |
tokenizer: "Discard IP fragment set with more than %{fld1} elements: %{space} src = %{saddr}, dest = %{daddr}, proto = %{protocol}, id = %{policy_id}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Discarded IP fragment"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("number of elements exceeded"), | |
}), | |
]), | |
}); | |
var msg1088 = match({ | |
dissect: { | |
tokenizer: "LU SMNAME error = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1574, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1089 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1900, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1090 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup368, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1091 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1659, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1092 = match({ | |
dissect: { | |
tokenizer: "LU look NAT for %{hostip} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup864, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1093 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1050, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1094 = match({ | |
dissect: { | |
tokenizer: "LU no xlate for %{saddr}/%{sport} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup601, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1095 = match({ | |
dissect: { | |
tokenizer: "LU make UDP connection for %{saddr}:%{sport} %{daddr}:%{dport} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup2252, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate a new record for a UDP connection"), | |
}), | |
dup2345, | |
]), | |
}); | |
var msg1096 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1726, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1097 = match({ | |
dissect: { | |
tokenizer: "LU create static xlate %{hostip} ifc %{interface} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1715, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1098 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup244, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1099 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1213, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1100 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup946, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1101 = match({ | |
dissect: { | |
tokenizer: "Unable to open %{protocol} channel (UDP port %{network_port}) on interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1077, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1102 = match({ | |
dissect: { | |
tokenizer: "Unable to open %{protocol} trap channel (UDP port %{network_port}) on interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup850, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1103 = match({ | |
dissect: { | |
tokenizer: "Unable to receive an %{protocol} request on interface %{interface}, error code = %{resultcode}, will try again.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1962, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1104 = match({ | |
dissect: { | |
tokenizer: "Unable to send an %{protocol} response to IP Address %{daddr} Port %{dport} interface %{interface}, error code = %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1946, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all505 = all_match({ | |
processors: [ | |
dup1782, | |
dup1783, | |
dup1784, | |
dup1785, | |
dup1786, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1787, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("incoming request exceeds data buffer size"), | |
}), | |
]), | |
}); | |
var msg1105 = match({ | |
dissect: { | |
tokenizer: "Dropping %{protocol} request from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} because: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1280, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropping SNMP request"), | |
}), | |
]), | |
}); | |
var msg1106 = match({ | |
dissect: { | |
tokenizer: "PPTP control daemon socket io %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup595, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1107 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup370, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1108 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1078, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1109 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup703, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1110 = match({ | |
dissect: { | |
tokenizer: "Terminating manager session from %{saddr} on interface %{interface}.%{space}Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup548, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Terminated manager session"), | |
}), | |
]), | |
}); | |
var msg1111 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1829, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1112 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup903, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1113 = match({ | |
dissect: { | |
tokenizer: "%{service} error, slot = %{fld1}, device = %{fld2}, address = %{fld3}, byte count = %{bytes}. Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1699, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("i2c_read_block_w_suspend() error"), | |
}), | |
]), | |
}); | |
var msg1114 = match({ | |
dissect: { | |
tokenizer: "%{severity}: Duplex-mismatch on %{service} resulted in transmitter lockup. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup799, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant(" Duplex-mismatch resulted in transmitter lockup."), | |
}), | |
]), | |
}); | |
var msg1115 = match({ | |
dissect: { | |
tokenizer: "Denied HTTP configuration attempt from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup833, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("HTTP config denied"), | |
}), | |
]), | |
}); | |
var msg1116 = match({ | |
dissect: { | |
tokenizer: "Built inbound TCP connection %{fld1} for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1003, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
]), | |
}); | |
var msg1117 = match({ | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1} for faddr %{daddr}/%{dport} gaddr %{hostip}/%{network_port} laddr %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1004, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
]), | |
}); | |
var msg1118 = match({ | |
dissect: { | |
tokenizer: "Built TCP connection %{fld1} for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1005, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1119 = match({ | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1} for %{dinterface}:%{daddr}/%{dport} (%{hostip}) to %{sinterface}:%{saddr}/%{sport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1006, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1120 = match({ | |
dissect: { | |
tokenizer: "Built %{direction} TCP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1007, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1121 = match({ | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid} faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport} duration %{duration} bytes %{bytes} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup431, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
dup2349, | |
]), | |
}); | |
var msg1122 = match({ | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup432, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
dup2349, | |
]), | |
}); | |
var msg1123 = match({ | |
dissect: { | |
tokenizer: "Built H245 connection for faddr %{saddr} laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1118, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var all506 = all_match({ | |
processors: [ | |
dup1727, | |
dup1728, | |
dup1729, | |
dup1730, | |
dup1731, | |
dup1732, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1733, | |
dup2313, | |
dup2302, | |
dup2287, | |
dup2316, | |
dup2288, | |
dup2289, | |
dup2351, | |
]), | |
}); | |
var all507 = all_match({ | |
processors: [ | |
dup1727, | |
dup1728, | |
dup1729, | |
dup1734, | |
dup1731, | |
dup446, | |
dup1735, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1736, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2351, | |
]), | |
}); | |
var msg1124 = match({ | |
dissect: { | |
tokenizer: "Built UDP connection for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1129, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1125 = match({ | |
dissect: { | |
tokenizer: "Built outbound UDP connection %{fld1} for %{dinterface}:%{daddr}/%{dport} (%{hostip}) to %{sinterface}:%{saddr}/%{sport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1130, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1126 = match({ | |
dissect: { | |
tokenizer: "Built %{direction} UDP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1131, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1127 = match({ | |
dissect: { | |
tokenizer: "Denied invalid %{protocol} code %{icmpcode}, for %{sinterface}:%{saddr}/%{sport} (%{hostip}) to %{dinterface}:%{daddr}/%{dport} (%{fld3}), ICMP id %{fld4}, ICMP type %{icmptype}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1737, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
]), | |
}); | |
var msg1128 = match({ | |
dissect: { | |
tokenizer: "Teardown UDP connection for faddr %{saddr}/%{sport} gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1770, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
dup2345, | |
]), | |
}); | |
var msg1129 = match({ | |
dissect: { | |
tokenizer: "Teardown UDP connection %{fld1} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1771, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
dup2345, | |
]), | |
}); | |
var msg1130 = match({ | |
dissect: { | |
tokenizer: "Built conduit from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} IP version %{fld1} protocol %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1063, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1131 = match({ | |
dissect: { | |
tokenizer: "Teardown conduit from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} IP version %{fld1} protocol %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup2267, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2352, | |
]), | |
}); | |
var all508 = all_match({ | |
processors: [ | |
dup304, | |
dup305, | |
dup306, | |
dup307, | |
dup308, | |
dup309, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup311, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2353, | |
]), | |
}); | |
var all509 = all_match({ | |
processors: [ | |
dup312, | |
dup305, | |
dup306, | |
dup307, | |
dup308, | |
dup309, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup313, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2353, | |
]), | |
}); | |
var msg1132 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1315, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all510 = all_match({ | |
processors: [ | |
dup2253, | |
dup2254, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2255, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2351, | |
]), | |
}); | |
var msg1133 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{domain}\\%{fld3}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{ddomain}\\%{c_username}) (%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup735, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var all511 = all_match({ | |
processors: [ | |
dup736, | |
dup737, | |
dup738, | |
dup739, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup740, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var all512 = all_match({ | |
processors: [ | |
dup741, | |
dup742, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup743, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var all513 = all_match({ | |
processors: [ | |
dup736, | |
dup744, | |
dup745, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup746, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var msg1134 = match({ | |
dissect: { | |
tokenizer: "%{sport} (%{stransaddr}/%{stransport})))", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all514 = all_match({ | |
processors: [ | |
dup747, | |
dup748, | |
dup749, | |
dup750, | |
msg1134, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup752, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var msg1135 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup753, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var msg1136 = match({ | |
dissect: { | |
tokenizer: "Built outbound %{protocol} connection %{connectionid} for %{dinterface} %{daddr}/%{dport} gaddr %{hostip}/%{network_port} %{sinterface} %{saddr}/%{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup754, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var all515 = all_match({ | |
processors: [ | |
dup755, | |
dup756, | |
dup757, | |
dup750, | |
dup2354, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup758, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var msg1137 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{domain}\\%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup759, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var msg1138 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{fld}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup760, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var msg1139 = match({ | |
dissect: { | |
tokenizer: "\u003c\u003c%{result}\u003e (%{username})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1140 = match({ | |
dissect: { | |
tokenizer: "%{result} (%{username})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1141 = match({ | |
dissect: { | |
tokenizer: "(%{result}) %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1142 = match({ | |
dissect: { | |
tokenizer: " %{result} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select174 = linear_select([ | |
msg1139, | |
msg1140, | |
msg1141, | |
msg1142, | |
]); | |
var all516 = all_match({ | |
processors: [ | |
dup1609, | |
dup1610, | |
dup2059, | |
dup2060, | |
select174, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2061, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all517 = all_match({ | |
processors: [ | |
dup2062, | |
dup2063, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2064, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all518 = all_match({ | |
processors: [ | |
dup1609, | |
dup2065, | |
dup2066, | |
dup2067, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2068, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all519 = all_match({ | |
processors: [ | |
dup2069, | |
dup2070, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2071, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1143 = match({ | |
dissect: { | |
tokenizer: "%{info} (%{username})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1144 = match({ | |
dissect: { | |
tokenizer: "%{info} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select175 = linear_select([ | |
msg1143, | |
msg1144, | |
]); | |
var all520 = all_match({ | |
processors: [ | |
dup1609, | |
dup2072, | |
dup2073, | |
dup2074, | |
select175, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2075, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all521 = all_match({ | |
processors: [ | |
dup2076, | |
dup2077, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2078, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1145 = match({ | |
dissect: { | |
tokenizer: "Built inbound %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})(%{domain}\\%{fld3}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})(%{fld4}) (%{username})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1254, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var all522 = all_match({ | |
processors: [ | |
dup736, | |
dup737, | |
dup1255, | |
dup1256, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1257, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var all523 = all_match({ | |
processors: [ | |
dup741, | |
dup742, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1258, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var all524 = all_match({ | |
processors: [ | |
dup1259, | |
dup1260, | |
dup757, | |
dup750, | |
dup2354, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1261, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.direction", | |
value: field("fld1"), | |
}), | |
dup2350, | |
]), | |
}); | |
var msg1146 = match({ | |
dissect: { | |
tokenizer: "Built %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1262, | |
dup2324, | |
dup2301, | |
dup2302, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1147 = match({ | |
dissect: { | |
tokenizer: "%{bytes} (%{username})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1148 = match({ | |
dissect: { | |
tokenizer: "%{bytes} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select176 = linear_select([ | |
msg1147, | |
msg1148, | |
]); | |
var all525 = all_match({ | |
processors: [ | |
dup1609, | |
dup1610, | |
dup1611, | |
dup1612, | |
select176, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1613, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all526 = all_match({ | |
processors: [ | |
dup1614, | |
dup1615, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1616, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var all527 = all_match({ | |
processors: [ | |
dup1617, | |
dup1615, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1618, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1149 = match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} '%{username}' %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1150 = match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} (%{username}) %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1151 = match({ | |
dissect: { | |
tokenizer: " bytes %{bytes} %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var select177 = linear_select([ | |
msg1149, | |
msg1150, | |
msg1151, | |
]); | |
var all528 = all_match({ | |
processors: [ | |
dup1609, | |
dup1619, | |
dup1620, | |
dup1621, | |
dup1622, | |
dup1623, | |
select177, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1624, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1152 = match({ | |
dissect: { | |
tokenizer: " '%{username}' %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1153 = match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p6}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var select178 = linear_select([ | |
msg1152, | |
msg1153, | |
]); | |
var msg1154 = match({ | |
dissect: { | |
tokenizer: " (%{username}) %{p7}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var select179 = linear_select([ | |
dup2356, | |
msg1154, | |
]); | |
var all529 = all_match({ | |
processors: [ | |
dup1609, | |
dup1619, | |
dup1620, | |
dup1625, | |
dup1626, | |
dup1627, | |
select178, | |
select179, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1628, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1155 = match({ | |
dissect: { | |
tokenizer: "%{duration} bytes %{bytes}%{bytes}%{bytes}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all530 = all_match({ | |
processors: [ | |
dup1609, | |
dup1629, | |
dup1620, | |
dup1630, | |
msg1155, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1631, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1156 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection %{connectionid} for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1632, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2355, | |
dup2348, | |
]), | |
}); | |
var msg1157 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} connection for %{sinterface} %{saddr}/%{sport} gaddr %{hostip}/%{network_port} %{dinterface} %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1633, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
]), | |
}); | |
var msg1158 = match({ | |
dissect: { | |
tokenizer: "Built inbound GRE connection %{connectionid} from %{sinterface}:%{saddr} (%{stransaddr}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1766, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
dup2350, | |
]), | |
}); | |
var msg1159 = match({ | |
dissect: { | |
tokenizer: "Built outbound GRE connection %{connectionid} from %{dinterface}:%{daddr} (%{dtransaddr}) to %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1767, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
dup2350, | |
]), | |
}); | |
var msg1160 = match({ | |
dissect: { | |
tokenizer: "Teardown GRE connection %{connectionid} from %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup1392, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2348, | |
set_field({ | |
dest: "nwparser.protocol", | |
value: constant("GRE"), | |
}), | |
]), | |
}); | |
var msg1161 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup2130, | |
dup2131, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1162 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} (%{fld12}) type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1163 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1164 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1165 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{p5}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1166 = match({ | |
dissect: { | |
tokenizer: "%{daddr}(%{fld10})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1167 = match({ | |
dissect: { | |
tokenizer: "%{daddr} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select180 = linear_select([ | |
msg1162, | |
msg1163, | |
msg1164, | |
msg1165, | |
msg1166, | |
msg1167, | |
]); | |
var msg1168 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} (%{fld12}) type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1169 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} type %{icmptype} code %{icmpcode} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1170 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}(%{username})%{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1171 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1172 = match({ | |
dissect: { | |
tokenizer: "%{daddr}(%{fld10})%{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1173 = match({ | |
dissect: { | |
tokenizer: "%{daddr} %{p5}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select181 = linear_select([ | |
msg1168, | |
msg1169, | |
msg1170, | |
msg1171, | |
msg1172, | |
msg1173, | |
]); | |
var all531 = all_match({ | |
processors: [ | |
dup1214, | |
dup1215, | |
dup1216, | |
dup1217, | |
select180, | |
select181, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1218, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2346, | |
]), | |
}); | |
var all532 = all_match({ | |
processors: [ | |
dup1219, | |
dup1220, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1221, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2347, | |
]), | |
}); | |
var all533 = all_match({ | |
processors: [ | |
dup1222, | |
dup1223, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1224, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2347, | |
]), | |
}); | |
var all534 = all_match({ | |
processors: [ | |
dup1225, | |
dup1226, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1227, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2346, | |
]), | |
}); | |
var msg1174 = match({ | |
dissect: { | |
tokenizer: "%{saddr}(%{fld11})%{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1175 = match({ | |
dissect: { | |
tokenizer: "%{saddr} %{p4}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select182 = linear_select([ | |
msg1174, | |
msg1175, | |
]); | |
var all535 = all_match({ | |
processors: [ | |
dup1228, | |
dup1229, | |
dup1230, | |
dup1231, | |
select182, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1232, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2347, | |
]), | |
}); | |
var msg1176 = match({ | |
dissect: { | |
tokenizer: "Built ICMP connection for faddr %{saddr} gaddr %{hostip} laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup1233, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all536 = all_match({ | |
processors: [ | |
dup1245, | |
dup1246, | |
dup1247, | |
dup2357, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1248, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2348, | |
dup2308, | |
]), | |
}); | |
var msg1177 = match({ | |
dissect: { | |
tokenizer: "%{icmptype} code %{icmpcode}%{icmpcode}%{icmpcode}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all537 = all_match({ | |
processors: [ | |
dup1249, | |
dup1246, | |
dup1250, | |
msg1177, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1251, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2348, | |
dup2308, | |
]), | |
}); | |
var all538 = all_match({ | |
processors: [ | |
dup1252, | |
dup1246, | |
dup1247, | |
dup2357, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1253, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2348, | |
dup2308, | |
]), | |
}); | |
var msg1178 = match({ | |
dissect: { | |
tokenizer: "Built IP protocol %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} (%{stransaddr}) to %{dinterface}:%{daddr} (%{dtransaddr})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup875, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var all539 = all_match({ | |
processors: [ | |
dup371, | |
dup433, | |
dup876, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup877, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2350, | |
]), | |
}); | |
var msg1179 = match({ | |
dissect: { | |
tokenizer: "Teardown IP protocol %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration} bytes %{bytes}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup905, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2352, | |
]), | |
}); | |
var msg1180 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} forwarded bytes %{bytes} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup906, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all540 = all_match({ | |
processors: [ | |
dup371, | |
dup433, | |
dup373, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup434, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2358, | |
]), | |
}); | |
var msg1181 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} forwarded bytes %{bytes} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1367, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2352, | |
]), | |
}); | |
var all541 = all_match({ | |
processors: [ | |
dup371, | |
dup372, | |
dup373, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup374, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2358, | |
]), | |
}); | |
var msg1182 = match({ | |
dissect: { | |
tokenizer: "Teardown stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration} bytes %{bytes} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup969, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2352, | |
]), | |
}); | |
var msg1183 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1374, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1184 = match({ | |
dissect: { | |
tokenizer: "Built %{protocol} state-bypass connection %{connectionid} from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup932, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built state-bypass connection"), | |
}), | |
]), | |
}); | |
var msg1185 = match({ | |
dissect: { | |
tokenizer: "Teardown %{protocol} state-bypass connection %{connectionid} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration} bytes %{bytes} %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup640, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown state-bypass connection"), | |
}), | |
]), | |
}); | |
var all542 = all_match({ | |
processors: [ | |
dup173, | |
dup2241, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2242, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2359, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var all543 = all_match({ | |
processors: [ | |
dup2243, | |
dup4, | |
dup2244, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2245, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1186 = match({ | |
dissect: { | |
tokenizer: "%{daddr} %{action} %{saddr}:%{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup2246, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2359, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var msg1187 = match({ | |
dissect: { | |
tokenizer: "FTP %{action} command denied, terminating connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2277, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("command denied"), | |
}), | |
]), | |
}); | |
var msg1188 = match({ | |
dissect: { | |
tokenizer: "FTP %{action} command unsupported - failed strict inspection, %{result} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup506, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("FTP command unsupported - failed strict inspection"), | |
}), | |
]), | |
}); | |
var msg1189 = match({ | |
dissect: { | |
tokenizer: "Strict FTP inspection matched Class 25: %{info}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1166, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Strict FTP inspection matched Class 25"), | |
}), | |
]), | |
}); | |
var all544 = all_match({ | |
processors: [ | |
dup173, | |
dup174, | |
dup175, | |
dup176, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup178, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2364, | |
dup2365, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var all545 = all_match({ | |
processors: [ | |
dup179, | |
dup180, | |
dup181, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup182, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2364, | |
dup2365, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var msg1190 = match({ | |
dissect: { | |
tokenizer: "Access denied URL %{url} SRC %{saddr} DEST %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1575, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var msg1191 = match({ | |
dissect: { | |
tokenizer: "Access denied URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1576, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2360, | |
dup2361, | |
dup2362, | |
dup2363, | |
]), | |
}); | |
var msg1192 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} timed out URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup936, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1193 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} request failed URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup1655, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1194 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} request pending URL %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup1165, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1195 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup336, | |
dup337, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1196 = match({ | |
dissect: { | |
tokenizer: "URL Server %{hostip} not responding, ENTERING ALLOW mode", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup675, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all546 = all_match({ | |
processors: [ | |
dup642, | |
dup643, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup644, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1197 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2151, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1198 = match({ | |
dissect: { | |
tokenizer: "Portmapped translation built for gaddr %{hostip}/%{network_port} laddr %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1929, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Portmapped translation built"), | |
}), | |
]), | |
}); | |
var msg1199 = match({ | |
dissect: { | |
tokenizer: "Translation built for gaddr %{hostip} to laddr %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1427, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Translation built"), | |
}), | |
]), | |
}); | |
var msg1200 = match({ | |
dissect: { | |
tokenizer: "Teardown translation for global %{hostip} local %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup590, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1201 = match({ | |
dissect: { | |
tokenizer: "Teardown translation for %{hostip} %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup591, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1202 = match({ | |
dissect: { | |
tokenizer: "Teardown portmap translation for global %{hostip}/%{network_port} local %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown portmap translation"), | |
}), | |
]), | |
}); | |
var msg1203 = match({ | |
dissect: { | |
tokenizer: "No translation group found for %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup870, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2367, | |
]), | |
}); | |
var msg1204 = match({ | |
dissect: { | |
tokenizer: "No translation group found for icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup871, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2367, | |
dup2306, | |
]), | |
}); | |
var msg1205 = match({ | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup872, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2367, | |
]), | |
}); | |
var msg1206 = match({ | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol} src %{saddr} dst %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup873, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2367, | |
]), | |
}); | |
var msg1207 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1270, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("translation creation failed for protocol"), | |
}), | |
]), | |
}); | |
var msg1208 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1271, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2368, | |
]), | |
}); | |
var msg1209 = match({ | |
dissect: { | |
tokenizer: "%{service} translation creation failed for icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1272, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2306, | |
dup2368, | |
]), | |
}); | |
var msg1210 = match({ | |
dissect: { | |
tokenizer: "%{fld1}(): Orphan IP %{hostip} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2167, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Orphan IP detected on interface"), | |
}), | |
]), | |
}); | |
var msg1211 = match({ | |
dissect: { | |
tokenizer: "Free unallocated global IP address.%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1669, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("trying to free unallocated global address"), | |
}), | |
]), | |
}); | |
var msg1212 = match({ | |
dissect: { | |
tokenizer: "Built %{context} translation from %{sinterface}:%{saddr} to %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup119, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2369, | |
]), | |
}); | |
var msg1213 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} translation from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1360, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1214 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} translation from %{sinterface}:%{saddr} to %{dinterface}:%{daddr} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1361, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1215 = match({ | |
dissect: { | |
tokenizer: "Built %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport}(%{fld51}) to %{dinterface}(%{fld52}):%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup937, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2369, | |
]), | |
}); | |
var all547 = all_match({ | |
processors: [ | |
dup938, | |
dup921, | |
dup2370, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup940, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2369, | |
]), | |
}); | |
var msg1216 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport}%{dport}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all548 = all_match({ | |
processors: [ | |
dup941, | |
dup924, | |
msg1216, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup942, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2369, | |
]), | |
}); | |
var msg1217 = match({ | |
dissect: { | |
tokenizer: "Teardown %{context} %{protocol} translation from %{sinterface}:%{saddr}/%{sport}(%{fld51}) to %{dinterface}(%{fld52}):%{daddr}/%{dport} duration %{duration}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup919, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1218 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport} duration %{duration}%{duration}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all549 = all_match({ | |
processors: [ | |
dup920, | |
dup921, | |
msg1218, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup922, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1219 = match({ | |
dissect: { | |
tokenizer: "%{daddr}/%{dport} duration %{duration}%{duration}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all550 = all_match({ | |
processors: [ | |
dup923, | |
dup924, | |
msg1219, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup925, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2366, | |
]), | |
}); | |
var msg1220 = match({ | |
dissect: { | |
tokenizer: "%{dinterface}:%{daddr}/%{dport} denied due to NAT reverse path failure denied due to NAT reverse path failure", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all551 = all_match({ | |
processors: [ | |
dup1867, | |
dup1868, | |
msg1220, | |
], | |
on_success: processor_chain([ | |
dup412, | |
dup1869, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
dup2371, | |
]), | |
}); | |
var msg1221 = match({ | |
dissect: { | |
tokenizer: "%{result}; Connection for %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode}) denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1870, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
dup2371, | |
]), | |
}); | |
var msg1222 = match({ | |
dissect: { | |
tokenizer: "System CPU utilization reached %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1493, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1223 = match({ | |
dissect: { | |
tokenizer: "%{result}; Connection for protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup1871, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2304, | |
dup2371, | |
]), | |
}); | |
var msg1224 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1832, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1225 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} login session from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup984, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2372, | |
dup2373, | |
dup2374, | |
]), | |
}); | |
var msg1226 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} login session from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup985, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2372, | |
dup2373, | |
dup2374, | |
]), | |
}); | |
var msg1227 = match({ | |
dissect: { | |
tokenizer: "%{result} session from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup734, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1228 = match({ | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr} (%{result}) on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1844, | |
dup1845, | |
dup2302, | |
dup2335, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2375, | |
]), | |
}); | |
var msg1229 = match({ | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr} (%{result})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1844, | |
dup1846, | |
dup2302, | |
dup2335, | |
dup2320, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2375, | |
]), | |
}); | |
var msg1230 = match({ | |
dissect: { | |
tokenizer: "Telnet session limit exceeded.%{space}Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup350, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2376, | |
]), | |
}); | |
var all552 = all_match({ | |
processors: [ | |
dup87, | |
dup88, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup90, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("enable password incorrect - multiple tries"), | |
}), | |
]), | |
}); | |
var msg1231 = match({ | |
dissect: { | |
tokenizer: "static %{fld1} %{fld2} %{fld3} %{fld4} overlapped with %{fld5} %{fld6}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1176, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1232 = match({ | |
dissect: { | |
tokenizer: "Denied manager connection from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1681, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied manager connection"), | |
}), | |
]), | |
}); | |
var msg1233 = match({ | |
dissect: { | |
tokenizer: "Permitted manager connection from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup167, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permitted manager connection"), | |
}), | |
]), | |
}); | |
var msg1234 = match({ | |
dissect: { | |
tokenizer: "Manager session limit exceeded. Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1342, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Manager session limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1235 = match({ | |
dissect: { | |
tokenizer: "LU loading standby start%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1765, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU loading standby start"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1236 = match({ | |
dissect: { | |
tokenizer: "LU loading standby end%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup858, | |
dup859, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU loading standby end"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1237 = match({ | |
dissect: { | |
tokenizer: "LU recv thread up%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2037, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU recv thread"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1238 = match({ | |
dissect: { | |
tokenizer: "LU xmit thread up%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup300, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU xmit thread up"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1239 = match({ | |
dissect: { | |
tokenizer: "RIP hdr failed from %{saddr}: cmd=%{fld1}, version=%{fld2} domain=%{fld3} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1234, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1240 = match({ | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype}, code=%{icmpcode} from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup567, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2308, | |
dup2304, | |
]), | |
}); | |
var msg1241 = match({ | |
dissect: { | |
tokenizer: "Invalid destination %{result} destination %{fld1} on %{interface} interface. %{space} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup345, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2308, | |
dup2377, | |
]), | |
}); | |
var msg1242 = match({ | |
dissect: { | |
tokenizer: "Invalid destination %{result} on %{interface} interface. %{space} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup346, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2377, | |
]), | |
}); | |
var msg1243 = match({ | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype}, from laddr %{saddr} on interface %{interface} to %{daddr}: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup593, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2308, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied ICMP"), | |
}), | |
]), | |
}); | |
var msg1244 = match({ | |
dissect: { | |
tokenizer: "Denied %{protocol} type=%{icmptype}, from %{saddr} on interface %{interface} to %{daddr}:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup566, | |
dup594, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied connection"), | |
}), | |
]), | |
}); | |
var msg1245 = match({ | |
dissect: { | |
tokenizer: "No matching connection for ICMP error message: icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode}) on %{interface} interface. Original IP payload:%{info}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2089, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No matching connection for error message"), | |
}), | |
]), | |
}); | |
var all553 = all_match({ | |
processors: [ | |
dup1634, | |
dup1635, | |
dup1636, | |
dup1637, | |
dup1638, | |
dup446, | |
dup1639, | |
dup1640, | |
dup1641, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1642, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Pre-allocated connection"), | |
}), | |
]), | |
}); | |
var msg1246 = match({ | |
dissect: { | |
tokenizer: "Denied SSH session from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1928, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied session"), | |
}), | |
]), | |
}); | |
var all554 = all_match({ | |
processors: [ | |
dup1484, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1485, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Permitted session"), | |
}), | |
]), | |
}); | |
var all555 = all_match({ | |
processors: [ | |
dup414, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup415, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2378, | |
]), | |
}); | |
var all556 = all_match({ | |
processors: [ | |
dup416, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup418, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2378, | |
]), | |
}); | |
var msg1247 = match({ | |
dissect: { | |
tokenizer: "RSA host key retrieval failed.%{}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all557 = all_match({ | |
processors: [ | |
dup91, | |
dup92, | |
msg1247, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup94, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1248 = match({ | |
dissect: { | |
tokenizer: "SSH session limit exceeded.%{space}Connection request from %{saddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup878, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2376, | |
]), | |
}); | |
var all558 = all_match({ | |
processors: [ | |
dup1327, | |
dup1328, | |
dup1329, | |
dup1330, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1331, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session disconnected"), | |
}), | |
]), | |
}); | |
var all559 = all_match({ | |
processors: [ | |
dup1327, | |
dup1328, | |
dup1332, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup1333, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("terminated normally"), | |
}), | |
]), | |
}); | |
var msg1249 = match({ | |
dissect: { | |
tokenizer: "Denied new tunnel to %{saddr} VPN peer limit (%{fld1}) exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup424, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied new VPN tunnel"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("VPN peer limit exceeded"), | |
}), | |
]), | |
}); | |
var all560 = all_match({ | |
processors: [ | |
dup425, | |
dup426, | |
dup427, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup428, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("cannot create isakmp peers"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("peer limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1250 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1504, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1251 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1943, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1252 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1241, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1253 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1812, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1254 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1119, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1255 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup525, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1256 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1698, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1257 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup517, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1258 = match({ | |
dissect: { | |
tokenizer: "area %{fld1} lsid %{fld2} mask %{fld3} adv %{fld4} type %{fld5}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2031, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1259 = match({ | |
dissect: { | |
tokenizer: "lsid %{fld1} adv %{fld2} type %{fld3} gateway %{fld4} metric %{fld5} network %{fld6} mask %{fld7} protocol %{protocol} attr %{fld8} net-metric %{fld9}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup978, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1260 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1552, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1261 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup631, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1262 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup50, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1263 = match({ | |
dissect: { | |
tokenizer: "Acknowledge for arp update for IP address %{daddr} not received (%{count}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1486, | |
dup2285, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Acknowledge for arp update"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1264 = match({ | |
dissect: { | |
tokenizer: "The subject name of the peer cert is not allowed for connection%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1487, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("The subject name of the peer cert is not allowed for connection"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1265 = match({ | |
dissect: { | |
tokenizer: "Route update for IP address %{daddr} to %{fld1} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1872, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("route update failure"), | |
}), | |
]), | |
}); | |
var msg1266 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup2012, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1267 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} limit of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup375, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1268 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} limit of %{fld2} reached for context %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup376, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1269 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} rate limit of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup660, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1270 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} log level of %{fld2} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1505, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1271 = match({ | |
dissect: { | |
tokenizer: "Resource %{fld1} rate log level of %{fld2} %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1873, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1272 = match({ | |
dissect: { | |
tokenizer: "Deny MAC address %{daddr}, possible spoof attempt on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup933, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied mac address"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("possible spoof attempt"), | |
}), | |
]), | |
}); | |
var msg1273 = match({ | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp request received from host %{smacaddr} on interface %{interface}.%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1880, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1274 = match({ | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp response received from host %{smacaddr} on interface %{interface}.%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1090, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1275 = match({ | |
dissect: { | |
tokenizer: "No management IP address configured for transparent firewall. %{result} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1951, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No management IP address configured for transparent firewall"), | |
}), | |
]), | |
}); | |
var msg1276 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} experienced a control channel communication failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup661, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1277 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} is not able to shut down, shut down request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1157, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1278 = match({ | |
dissect: { | |
tokenizer: "Module in slot %{fld1} is not able to reload, reload request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1120, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1279 = match({ | |
dissect: { | |
tokenizer: " experienced a data channel communication failure, data channel is DOWN%{}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all561 = all_match({ | |
processors: [ | |
dup617, | |
msg1279, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup618, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("data channel communication failure - data channel is DOWN"), | |
}), | |
]), | |
}); | |
var all562 = all_match({ | |
processors: [ | |
dup1308, | |
dup1309, | |
dup1310, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1311, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Drop GTPv"), | |
}), | |
]), | |
}); | |
var msg1280 = match({ | |
dissect: { | |
tokenizer: "GTPv0 packet parsing error from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, TID: %{fld1}, Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup163, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTPv0 packet parsing error"), | |
}), | |
]), | |
}); | |
var msg1281 = match({ | |
dissect: { | |
tokenizer: "No %{fld1} exists to process GTPv0 %{fld2} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, TID: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup347, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("nonexistent resource to process GTP request"), | |
}), | |
]), | |
}); | |
var msg1282 = match({ | |
dissect: { | |
tokenizer: "No matching request to process GTPv %{fld2} %{fld3} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2042, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("No matching GTP request"), | |
}), | |
]), | |
}); | |
var msg1283 = match({ | |
dissect: { | |
tokenizer: "GTP packet with version %{status} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} is not supported", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1158, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("GTP version not supported"), | |
}), | |
]), | |
}); | |
var msg1284 = match({ | |
dissect: { | |
tokenizer: "Unable to create tunnel from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup561, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to create tunnel"), | |
}), | |
]), | |
}); | |
var msg1285 = match({ | |
dissect: { | |
tokenizer: "GSN ip_addr tunnel limit %{fld1} exceeded, PDP Context TID %{fld2} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1573, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1286 = match({ | |
dissect: { | |
tokenizer: "Unable to create GTP connection for response from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup377, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to create GTP connection"), | |
}), | |
]), | |
}); | |
var msg1287 = match({ | |
dissect: { | |
tokenizer: "Router %{hostip_v6} on %{interface} has conflicting ND (Neighbor Discovery) settings", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup1377, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1288 = match({ | |
dissect: { | |
tokenizer: "Duplicate address %{hostip_v6}/%{macaddr} on %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2190, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1289 = match({ | |
dissect: { | |
tokenizer: "Unexpected error in the timer library: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup613, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1290 = match({ | |
dissect: { | |
tokenizer: "Dynamic DNS Update for '%{domain}' \u003c\u003c=\u003e %{hostip} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup1899, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic DNS Update failed"), | |
}), | |
]), | |
}); | |
var msg1291 = match({ | |
dissect: { | |
tokenizer: "Web Cache %{saddr}/%{shost} acquired", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup907, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2379, | |
]), | |
}); | |
var msg1292 = match({ | |
dissect: { | |
tokenizer: "Web Cache %{saddr}/%{shost} lost", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup120, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2379, | |
]), | |
}); | |
var msg1293 = match({ | |
dissect: { | |
tokenizer: "NAC is disabled for host - %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1098, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAC is disabled"), | |
}), | |
]), | |
}); | |
var msg1294 = match({ | |
dissect: { | |
tokenizer: "%{group}: %{fld1} Neighbor %{saddr} (%{interface}) is %{event_state}: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1942, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Neighbor state change"), | |
}), | |
]), | |
}); | |
var msg1295 = match({ | |
dissect: { | |
tokenizer: "Phone Proxy SRTP: Media session not found for %{hostip}/%{network_port} for packet from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1438, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phone Proxy SRTP: Media session not found"), | |
}), | |
]), | |
}); | |
var msg1296 = match({ | |
dissect: { | |
tokenizer: "Phone Proxy: Unable to create secure phone entry for %{sinterface}:%{saddr} with MAC address %{smacaddr}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup659, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create secure phone entry for endpoint"), | |
}), | |
]), | |
}); | |
var all563 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup549, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup550, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all564 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup910, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup911, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all565 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup454, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup455, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1297 = match({ | |
dissect: { | |
tokenizer: "%{severity}, category: %{result}%{result}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all566 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup1419, | |
dup1420, | |
msg1297, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1421, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all567 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1964, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1965, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all568 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1506, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1507, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all569 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1757, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1758, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all570 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup251, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup252, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all571 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1273, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1274, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all572 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup2038, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2039, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all573 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup2268, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2269, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all574 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup632, | |
dup633, | |
dup634, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup635, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic Filter monitored whitelisted traffic"), | |
}), | |
]), | |
}); | |
var all575 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup452, | |
dup453, | |
dup2283, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2284, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all576 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup632, | |
dup453, | |
dup2234, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2235, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all577 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1159, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1160, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all578 = all_match({ | |
processors: [ | |
dup249, | |
dup250, | |
dup1738, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1739, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all579 = all_match({ | |
processors: [ | |
dup1161, | |
dup1162, | |
dup1163, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1164, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Intercepted DNS reply for name"), | |
}), | |
]), | |
}); | |
var all580 = all_match({ | |
processors: [ | |
dup1499, | |
dup1500, | |
dup1501, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup1502, | |
dup2380, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all581 = all_match({ | |
processors: [ | |
dup556, | |
dup557, | |
dup558, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup559, | |
dup2333, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1298 = match({ | |
dissect: { | |
tokenizer: "Successfully downloaded dynamic filter data file from updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1813, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1299 = match({ | |
dissect: { | |
tokenizer: "Failed to download dynamic filter data file from updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup351, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1300 = match({ | |
dissect: { | |
tokenizer: "Failed to authenticate with dynamic filter updater server %{url}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1749, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1301 = match({ | |
dissect: { | |
tokenizer: "Failed to decrypt downloaded dynamic filter database file%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup1975, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1302 = match({ | |
dissect: { | |
tokenizer: "Dynamic filter updater server dynamically changed from %{change_old} to %{change_new}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup95, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic filter updater server dynamically changed"), | |
}), | |
]), | |
}); | |
var msg1303 = match({ | |
dissect: { | |
tokenizer: "The license on this ASA does not support dynamic filter updater feature.%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup1643, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1304 = match({ | |
dissect: { | |
tokenizer: "Failed to update from dynamic filter updater server %{web_domain}, reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup262, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1305 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup774, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1306 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup242, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1307 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2200, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1308 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1151, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1309 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1700, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1310 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1952, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1311 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1953, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1312 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2201, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1313 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup596, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1314 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup584, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1315 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2247, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1316 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1909, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1317 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1193, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1318 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2256, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1319 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1047, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1320 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup169, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1321 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup2119, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1322 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1001, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1323 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup677, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1324 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup701, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1325 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup301, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1326 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup405, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1327 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1458, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1328 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1307, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1329 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1292, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1330 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1586, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1331 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup2280, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1332 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1847, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1333 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1276, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1334 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup842, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1335 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup598, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1336 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup171, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1337 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup170, | |
dup2248, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1338 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup1172, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1339 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup2030, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1340 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup645, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1341 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup1277, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1342 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup2007, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1343 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1761, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1344 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1194, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1345 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1275, | |
dup1429, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1346 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup1684, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1347 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup2191, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1348 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1091, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1349 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1901, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1350 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1648, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1351 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup1817, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1352 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup597, | |
dup851, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1353 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup795, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1354 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup1685, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1355 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup794, | |
dup2047, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1356 = match({ | |
dissect: { | |
tokenizer: "%{product}:%{sigid} %{context} from %{saddr} to %{daddr} on interface %{dinterface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1938, | |
dup1939, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2381, | |
dup2382, | |
dup2383, | |
]), | |
}); | |
var msg1357 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup504, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all582 = all_match({ | |
processors: [ | |
dup614, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup615, | |
dup2380, | |
dup2290, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shun(s) added"), | |
}), | |
]), | |
}); | |
var all583 = all_match({ | |
processors: [ | |
dup1976, | |
dup1977, | |
dup1978, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup1979, | |
dup2333, | |
dup2290, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shun deleted"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all584 = all_match({ | |
processors: [ | |
dup1422, | |
dup1423, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1424, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Packet dropped"), | |
}), | |
]), | |
}); | |
var all585 = all_match({ | |
processors: [ | |
dup1422, | |
dup2013, | |
dup2014, | |
], | |
on_success: processor_chain([ | |
dup1855, | |
dup2015, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Shun add failed"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1358 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: rec'd IPSEC packet has invalid spi for destaddr=%{daddr}, prot=%{protocol}, spi=%{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1822, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2384, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("invalid spi"), | |
}), | |
]), | |
}); | |
var msg1359 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: packet missing %{fld2}, destadr=%{daddr}, actual prot=%{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid packet"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("missing packet type"), | |
}), | |
]), | |
}); | |
var all586 = all_match({ | |
processors: [ | |
dup363, | |
dup364, | |
dup365, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup366, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("identity doesn't match"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1360 = match({ | |
dissect: { | |
tokenizer: "Rec'd packet not an IPSEC packet %{space} (ip) dest_addr= %{daddr}, src_addr= %{saddr}, prot= %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup934, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2384, | |
]), | |
}); | |
var msg1361 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet %{space} (%{result}) from %{saddr} to %{daddr} with an invalid SPI", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup970, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an ESP packet with an invalid SPI"), | |
}), | |
]), | |
}); | |
var all587 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup1547, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1548, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Bad ESP packet"), | |
}), | |
dup2385, | |
]), | |
}); | |
var msg1362 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received a non-IPSec packet (protocol= %{protocol}) from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup456, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2384, | |
dup2385, | |
]), | |
}); | |
var msg1363 = match({ | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{protocol}, sequence number=%{fld1}) from %{saddr} (user=%{username}) to %{daddr} containing an illegal IP fragment of length %{dclass_counter1} with offset %{dclass_counter2}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2202, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("illegal IP fragment on IPSEC packet"), | |
}), | |
dup2385, | |
]), | |
}); | |
var all588 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup649, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup650, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESP packet that failed anti-replay checking"), | |
}), | |
dup2385, | |
]), | |
}); | |
var all589 = all_match({ | |
processors: [ | |
dup648, | |
dup208, | |
dup1494, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1495, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESP packet that failed authentication"), | |
}), | |
]), | |
}); | |
var msg1364 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} encountered an error (%{context}) while executing the command %{process}(%{info}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup865, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2386, | |
]), | |
}); | |
var msg1365 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} encountered an error (%{info})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1121, | |
dup1293, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2386, | |
]), | |
}); | |
var msg1366 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: The %{product} timed out (%{info})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1121, | |
dup1122, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("hardware accelerator Ipsec ring timed out"), | |
}), | |
]), | |
}); | |
var all590 = all_match({ | |
processors: [ | |
dup1393, | |
dup540, | |
dup1394, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup1395, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Crypto archive - soft reset"), | |
}), | |
]), | |
}); | |
var all591 = all_match({ | |
processors: [ | |
dup539, | |
dup540, | |
dup541, | |
], | |
on_success: processor_chain([ | |
dup125, | |
dup542, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Latest Crypto File not written"), | |
}), | |
]), | |
}); | |
var msg1367 = match({ | |
dissect: { | |
tokenizer: "CRYPTO: Received an ESP packet (SPI = %{dst_spi}, sequence number= %{fld2}) from %{saddr} (user= %{username}) to %{daddr} with incorrect IPsec padding. (padding: %{fld3})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup343, | |
dup1242, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Received an ESP packet with incorrect IPsec padding"), | |
}), | |
]), | |
}); | |
var msg1368 = match({ | |
dissect: { | |
tokenizer: "PPTP session state not established, but received an XGRE packet, tunnel_id=%{fld1}, session_id=%{sessionid}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2115, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1369 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} rcvd pkt with invalid protocol: %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2043, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1370 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2261, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1371 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} requires mschap for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1441, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1372 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} requires RADIUS for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1818, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1373 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} missing aaa server group info", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup800, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1374 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} missing client %{hostip} option", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1362, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1375 = match({ | |
dissect: { | |
tokenizer: "Rec'd packet not an PPTP packet. (%{service}) dest_addr=%{daddr}, src_addr=%{saddr}, data: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup1814, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid PPTP packet"), | |
}), | |
]), | |
}); | |
var msg1376 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup1997, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1377 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup2168, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1378 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup164, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1379 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup912, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1380 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1076, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1381 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2281, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1382 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2152, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1383 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1947, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1384 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1412, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1385 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup137, | |
dup138, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all592 = all_match({ | |
processors: [ | |
dup1980, | |
], | |
on_success: processor_chain([ | |
dup1981, | |
dup1982, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1386 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup253, | |
dup254, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all593 = all_match({ | |
processors: [ | |
dup687, | |
dup688, | |
dup689, | |
dup690, | |
dup74, | |
dup691, | |
dup692, | |
dup693, | |
dup694, | |
dup695, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup696, | |
dup2286, | |
dup2287, | |
dup2387, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all594 = all_match({ | |
processors: [ | |
dup687, | |
dup688, | |
dup1874, | |
dup690, | |
dup74, | |
dup691, | |
dup692, | |
dup693, | |
dup694, | |
dup695, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1875, | |
dup2286, | |
dup2287, | |
dup2387, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1387 = match({ | |
dissect: { | |
tokenizer: "H225 message from %{saddr}/%{sport} to %{daddr}/%{dport} contains bad protocol discriminator %{protocol}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup2169, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("H225 message contains bad protocol discriminator"), | |
}), | |
]), | |
}); | |
var msg1388 = match({ | |
dissect: { | |
tokenizer: "H225 message %{fld} received from %{saddr}/%{sport} to %{daddr}/%{dport} before SETUP", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup783, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("H225 message received from before SETUP"), | |
}), | |
]), | |
}); | |
var all595 = all_match({ | |
processors: [ | |
dup2170, | |
dup2171, | |
dup2172, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2173, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1389 = match({ | |
dissect: { | |
tokenizer: "FTP port command low port: %{saddr}/%{sport} to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup227, | |
dup2016, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2388, | |
]), | |
}); | |
var msg1390 = match({ | |
dissect: { | |
tokenizer: "FTP port command different address: %{saddr}(%{fld1}) to %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup227, | |
dup228, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2388, | |
]), | |
}); | |
var msg1391 = match({ | |
dissect: { | |
tokenizer: "Deny traffic for protocol %{protocol} src %{sinterface}:%{saddr}/%{sport} dst %{dinterface}:%{daddr}/%{dport}, licensed host limit of %{fld1} exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup1876, | |
dup2302, | |
dup2300, | |
dup2301, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1392 = match({ | |
dissect: { | |
tokenizer: "Deny traffic for local-host %{interface}:%{hostip}, license limit of %{fld1} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup258, | |
dup1553, | |
dup2302, | |
dup2300, | |
dup2301, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied traffic"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("license limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1393 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit %{fld1}/%{fld2} for through connections exceeded. %{saddr}/%{sport} to %{daddr} (%{fld3})/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1740, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2341, | |
dup2389, | |
]), | |
}); | |
var msg1394 = match({ | |
dissect: { | |
tokenizer: "Embryonic limit for through connections exceeded %{fld1}. %{saddr}/%{sport} to %{daddr} (%{fld2})/%{dport} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1741, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2341, | |
dup2389, | |
]), | |
}); | |
var msg1395 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1656, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all596 = all_match({ | |
processors: [ | |
dup1554, | |
dup1555, | |
dup1556, | |
], | |
on_success: processor_chain([ | |
dup1557, | |
dup1558, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Ospf IA update conflict"), | |
}), | |
]), | |
}); | |
var msg1396 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1910, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1397 = match({ | |
dissect: { | |
tokenizer: "%{fld1}: external LSA %{hostip} %{fld}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup488, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all597 = all_match({ | |
processors: [ | |
dup314, | |
dup315, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup317, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1398 = match({ | |
dissect: { | |
tokenizer: "Received %{result} from unknown neighbor %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1173, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1399 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup490, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1400 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1187, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1401 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1934, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1402 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1533, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1403 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup491, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1404 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1359, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1405 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup379, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1406 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1963, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1407 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1363, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all598 = all_match({ | |
processors: [ | |
dup1649, | |
dup4, | |
dup1650, | |
], | |
on_success: processor_chain([ | |
dup334, | |
dup1651, | |
dup2325, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Auth-server group unreachable"), | |
}), | |
]), | |
}); | |
var all599 = all_match({ | |
processors: [ | |
dup801, | |
dup802, | |
dup803, | |
dup804, | |
dup805, | |
dup806, | |
dup807, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup809, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2390, | |
]), | |
}); | |
var all600 = all_match({ | |
processors: [ | |
dup801, | |
dup802, | |
dup810, | |
dup811, | |
dup805, | |
dup812, | |
dup807, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup813, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2390, | |
]), | |
}); | |
var msg1408 = match({ | |
dissect: { | |
tokenizer: "Dropped UDP DNS reply from %{saddr}/%{sport} to %{daddr}/%{dport}; compression pointer length %{bytes} bytes exceeds packet length limit of %{fld2} bytes", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup814, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropped DNS UDP reply packet - length exceeded"), | |
}), | |
]), | |
}); | |
var all601 = all_match({ | |
processors: [ | |
dup815, | |
dup816, | |
dup817, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup818, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2390, | |
]), | |
}); | |
var all602 = all_match({ | |
processors: [ | |
dup819, | |
dup820, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup821, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all603 = all_match({ | |
processors: [ | |
dup894, | |
dup895, | |
dup896, | |
dup897, | |
], | |
on_success: processor_chain([ | |
dup898, | |
dup899, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all604 = all_match({ | |
processors: [ | |
dup1301, | |
dup1302, | |
dup1303, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1304, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all605 = all_match({ | |
processors: [ | |
dup1301, | |
dup1302, | |
dup1303, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1312, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all606 = all_match({ | |
processors: [ | |
dup1301, | |
dup1892, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1893, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.misc", | |
value: constant("Interface experienced a hardware transmit hang"), | |
}), | |
]), | |
}); | |
var msg1409 = match({ | |
dissect: { | |
tokenizer: "MAC %{interface} moved from %{src_zone} to %{dst_zone}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup732, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2316, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1410 = match({ | |
dissect: { | |
tokenizer: "Module in slot%{fld1}is not able to shut down. %{space} Module Error: %{fld2} %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1508, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1411 = match({ | |
dissect: { | |
tokenizer: "Module in slot%{fld1}is not able to reload.%{space}Module Error:%{fld2} %{data}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2120, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all607 = all_match({ | |
processors: [ | |
dup507, | |
dup508, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup509, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1412 = match({ | |
dissect: { | |
tokenizer: "Failed to save logging buffer using file name %{filename} to FTP server %{hostip} on interface %{interface}: [%{result}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1343, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1413 = match({ | |
dissect: { | |
tokenizer: "Failed to save logging buffer to flash:/syslog directory using filename: %{filename}: [%{result}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1525, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1414 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Tunnel detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup245, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Tunnel detected"), | |
}), | |
]), | |
}); | |
var msg1415 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Instant Messenger detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1048, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Instant Messenger detected"), | |
}), | |
]), | |
}); | |
var msg1416 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Peer-to-Peer detected - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup996, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Peer-to-Peer detected"), | |
}), | |
]), | |
}); | |
var msg1417 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type not found - %{listnum} Content Verification Failed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1894, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2391, | |
]), | |
}); | |
var msg1418 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type not found - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1895, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2391, | |
]), | |
}); | |
var msg1419 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content type does not match specified type - %{listnum} Content Verification Failed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2114, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Content type does not match specified type"), | |
}), | |
]), | |
}); | |
var msg1420 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Content size %{priority} out of range - %{listnum} %{protocol} from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup28, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Content size out of range"), | |
}), | |
]), | |
}); | |
var msg1421 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Extension method illegal - %{listnum} '%{protocol}' from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1526, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Extension method illegal"), | |
}), | |
]), | |
}); | |
var msg1422 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP RFC method illegal - %{listnum} '%{protocol}' from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1177, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP RFC method illegal"), | |
}), | |
]), | |
}); | |
var msg1423 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP - matched %{fld1} in policy-map %{policyname}, header matched - Resetting connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1178, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1424 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Header length exceeded. Received %{priority} byte Header - %{listnum} header length exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1896, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Header length exceeded"), | |
}), | |
]), | |
}); | |
var msg1425 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP protocol violation detected - %{listnum} HTTP Protocol not detected from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2121, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP protocol violation detected"), | |
}), | |
]), | |
}); | |
var msg1426 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP URL Length exceeded. Received %{priority} byte URL - %{listnum} URI length exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1570, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP URL Length exceeded"), | |
}), | |
]), | |
}); | |
var msg1427 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Deobfuscation signature detected - %{listnum} HTTP deobfuscation detected IPS evasion technique from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup2282, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Deobfuscation signature detected"), | |
}), | |
]), | |
}); | |
var msg1428 = match({ | |
dissect: { | |
tokenizer: "%{sigid} HTTP Transfer encoding violation detected - %{listnum} %{protocol} Transfer encoding not allowed from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup1446, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Transfer encoding violation detected"), | |
}), | |
]), | |
}); | |
var msg1429 = match({ | |
dissect: { | |
tokenizer: "%{sigid} Maximum of 10 unanswered HTTP requests exceeded from %{saddr} to %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup27, | |
dup874, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Maximum of 10 unanswered HTTP requests exceeded"), | |
}), | |
]), | |
}); | |
var msg1430 = match({ | |
dissect: { | |
tokenizer: "Dropped UDP SNMP packet from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}; %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup890, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("dropped UDP SNMP packet"), | |
}), | |
]), | |
}); | |
var msg1431 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: icmp src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1023, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2392, | |
dup2393, | |
dup2308, | |
]), | |
}); | |
var msg1432 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: protocol %{protocol} src %{sinterface}:%{saddr} dst %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1024, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2392, | |
dup2393, | |
]), | |
}); | |
var all608 = all_match({ | |
processors: [ | |
dup1025, | |
dup1026, | |
dup2370, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1027, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2394, | |
dup2393, | |
]), | |
}); | |
var msg1433 = match({ | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: %{protocol} from %{sinterface} %{saddr} (%{sport}) to %{dinterface} %{daddr} (%{dport})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1028, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2394, | |
dup2393, | |
]), | |
}); | |
var msg1434 = match({ | |
dissect: { | |
tokenizer: "%{action} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}, reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1940, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1435 = match({ | |
dissect: { | |
tokenizer: "%{action} from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} with different initial sequence number", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup168, | |
dup1459, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1436 = match({ | |
dissect: { | |
tokenizer: "Cleared TCP urgent flag from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1460, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Cleared TCP urgent flag"), | |
}), | |
]), | |
}); | |
var msg1437 = match({ | |
dissect: { | |
tokenizer: "IPS requested to drop %{protocol} packets %{sinterface}:%{saddr} to %{dinterface}:%{daddr} (type %{icmptype}, code %{icmpcode})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2174, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2395, | |
]), | |
}); | |
var msg1438 = match({ | |
dissect: { | |
tokenizer: "%{service} requested to drop %{protocol} packet from %{sinterface}:%{saddr}/%{sport} %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup2175, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2395, | |
]), | |
}); | |
var msg1439 = match({ | |
dissect: { | |
tokenizer: "IPS requested to reset %{protocol} connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup784, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IPS request to reset connection"), | |
}), | |
]), | |
}); | |
var msg1440 = match({ | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys} was added on the %{product}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup399, | |
dup2380, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Virtual Sensor added"), | |
}), | |
]), | |
}); | |
var msg1441 = match({ | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys} was deleted from the %{product}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1750, | |
dup2333, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Virtual Sensor deleted"), | |
}), | |
]), | |
}); | |
var msg1442 = match({ | |
dissect: { | |
tokenizer: "TCP flow from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} is skipped because %{application} has failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1386, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP flow skipped"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("process failure"), | |
}), | |
]), | |
}); | |
var msg1443 = match({ | |
dissect: { | |
tokenizer: "Failed to inject TCP packet from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2079, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("failed to inject TCP packet"), | |
}), | |
]), | |
}); | |
var all609 = all_match({ | |
processors: [ | |
dup1179, | |
dup1180, | |
dup1181, | |
], | |
on_success: processor_chain([ | |
dup1182, | |
dup1183, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1444 = match({ | |
dissect: { | |
tokenizer: "There are %{fld1} users of %{product} during the past %{fld2} hours", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup625, | |
dup626, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1445 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup762, | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("License"), | |
}), | |
dup2313, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Temporary license key will expire in 365 days"), | |
}), | |
]), | |
}); | |
var msg1446 = match({ | |
dissect: { | |
tokenizer: "Shared license register request failed, Reason:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1974, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license register request failed"), | |
}), | |
]), | |
}); | |
var msg1447 = match({ | |
dissect: { | |
tokenizer: "Shared license service is active. %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1008, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license service is active"), | |
}), | |
]), | |
}); | |
var msg1448 = match({ | |
dissect: { | |
tokenizer: "%{result}. License server is not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup255, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("License server is not responding"), | |
}), | |
]), | |
}); | |
var msg1449 = match({ | |
dissect: { | |
tokenizer: "Shared %{protocol} license availability: %{info}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1334, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared protocol license availability"), | |
}), | |
]), | |
}); | |
var msg1450 = match({ | |
dissect: { | |
tokenizer: "Shared license backup server %{hostip} is not available", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1587, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license backup server not available"), | |
}), | |
]), | |
}); | |
var msg1451 = match({ | |
dissect: { | |
tokenizer: "Shared license added client id %{hostid}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup971, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license added client"), | |
}), | |
]), | |
}); | |
var msg1452 = match({ | |
dissect: { | |
tokenizer: "Shared license expired client id %{hostid}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup972, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license expired client"), | |
}), | |
]), | |
}); | |
var msg1453 = match({ | |
dissect: { | |
tokenizer: "Shared license backup server role change to %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup560, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license backup server role changed"), | |
}), | |
]), | |
}); | |
var msg1454 = match({ | |
dissect: { | |
tokenizer: "ActiveX content modified src %{saddr} dest %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup2005, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1455 = match({ | |
dissect: { | |
tokenizer: "Java content modified src %{saddr} dest %{daddr} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup486, | |
dup568, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1456 = match({ | |
dissect: { | |
tokenizer: "Bad %{protocol} hdr length (hdrlen=%{fld1}, pktlen=%{fld2}) from %{saddr}/%{sport} to %{daddr}/%{dport}, flags: %{fld3}, on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup863, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Bad hdr length"), | |
}), | |
]), | |
}); | |
var msg1457 = match({ | |
dissect: { | |
tokenizer: "Invalid transport field for protocol=%{protocol}, from %{saddr}/%{sport} to %{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup2236, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid transport field"), | |
}), | |
]), | |
}); | |
var msg1458 = match({ | |
dissect: { | |
tokenizer: "Cmd priv level changed: Var: %{fld1} Cmd: %{fld2} Priv level: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup2221, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Cmd priv level changed successfully"), | |
}), | |
]), | |
}); | |
var msg1459 = match({ | |
dissect: { | |
tokenizer: "User transitioning priv level%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup2222, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User transitioning priv level"), | |
}), | |
]), | |
}); | |
var all610 = all_match({ | |
processors: [ | |
dup113, | |
dup4, | |
dup114, | |
], | |
on_success: processor_chain([ | |
dup115, | |
dup116, | |
dup2321, | |
dup2380, | |
dup2396, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("New user added to local DB"), | |
}), | |
]), | |
}); | |
var all611 = all_match({ | |
processors: [ | |
dup834, | |
dup4, | |
dup114, | |
], | |
on_success: processor_chain([ | |
dup835, | |
dup836, | |
dup2321, | |
dup2333, | |
dup2396, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User deleted from local DB"), | |
}), | |
]), | |
}); | |
var all612 = all_match({ | |
processors: [ | |
dup585, | |
dup4, | |
dup586, | |
], | |
on_success: processor_chain([ | |
dup587, | |
dup588, | |
dup2321, | |
dup2292, | |
dup2396, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User priv level change"), | |
}), | |
]), | |
}); | |
var all613 = all_match({ | |
processors: [ | |
dup234, | |
dup4, | |
dup5, | |
], | |
on_success: processor_chain([ | |
dup235, | |
dup236, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("New group policy added"), | |
}), | |
]), | |
}); | |
var all614 = all_match({ | |
processors: [ | |
dup3, | |
dup4, | |
dup5, | |
], | |
on_success: processor_chain([ | |
dup6, | |
dup7, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Group policy deleted"), | |
}), | |
]), | |
}); | |
var msg1460 = match({ | |
dissect: { | |
tokenizer: "Process %{fld1}, Nbr %{hostip} on %{interface} from %{fld2} to %{fld3}, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1174, | |
dup1175, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1461 = match({ | |
dissect: { | |
tokenizer: "Security context %{info} was added to the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup409, | |
dup2380, | |
dup2290, | |
dup2285, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security context added"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1462 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup410, | |
dup2380, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1463 = match({ | |
dissect: { | |
tokenizer: "Security context %{info} was removed from the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1167, | |
dup2333, | |
dup2290, | |
dup2285, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security context removed"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1464 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup761, | |
dup1168, | |
dup2333, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1465 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup662, | |
dup663, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1466 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup1235, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1467 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup592, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1468 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup662, | |
dup670, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1469 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup1948, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1470 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
dup339, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1471 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
dup1148, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1472 = match({ | |
dissect: { | |
tokenizer: "UP.%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1473 = match({ | |
dissect: { | |
tokenizer: "UP%{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select183 = linear_select([ | |
msg1472, | |
msg1473, | |
]); | |
var all615 = all_match({ | |
processors: [ | |
dup926, | |
dup927, | |
select183, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup928, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("data channel communication is UP"), | |
}), | |
]), | |
}); | |
var all616 = all_match({ | |
processors: [ | |
dup602, | |
dup2397, | |
], | |
on_success: processor_chain([ | |
dup604, | |
dup605, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1474 = match({ | |
dissect: { | |
tokenizer: "%{product} Module in slot %{fld1}, application down \"%{application}\", %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup733, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all617 = all_match({ | |
processors: [ | |
dup1577, | |
dup2397, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup1578, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1475 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup246, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1476 = match({ | |
dissect: { | |
tokenizer: "Terminating TCP-Proxy connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup846, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP-Proxy connection terminated"), | |
}), | |
]), | |
}); | |
var msg1477 = match({ | |
dissect: { | |
tokenizer: "Moving connection from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport} to non-proxy mode - %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2145, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Moving connection"), | |
}), | |
]), | |
}); | |
var all618 = all_match({ | |
processors: [ | |
dup2153, | |
dup2154, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup2155, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("tcp/udp flow terminated"), | |
}), | |
]), | |
}); | |
var all619 = all_match({ | |
processors: [ | |
dup710, | |
dup711, | |
dup712, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup713, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DCERPC unknown non-standard major version on connection"), | |
}), | |
]), | |
}); | |
var all620 = all_match({ | |
processors: [ | |
dup1092, | |
dup1093, | |
dup1094, | |
], | |
on_success: processor_chain([ | |
dup808, | |
dup1095, | |
dup2340, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PMTU-D packet bytes greater than effective mtu"), | |
}), | |
]), | |
}); | |
var msg1478 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup212, | |
dup2340, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1479 = match({ | |
dissect: { | |
tokenizer: "%{product}: Received an ICMP Destination Unreachable from %{saddr} with %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1843, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2398, | |
]), | |
}); | |
var msg1480 = match({ | |
dissect: { | |
tokenizer: "%{product}: Received an ICMP Destination Unreachable from %{saddr},%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1823, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2398, | |
]), | |
}); | |
var msg1481 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{daddr}/%{dport} (responder), remote %{saddr}/%{sport}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup2132, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1482 = match({ | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{saddr}/%{sport} (initiator), remote %{daddr}/%{dport}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup2133, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all621 = all_match({ | |
processors: [ | |
dup651, | |
dup652, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup654, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2399, | |
]), | |
}); | |
var all622 = all_match({ | |
processors: [ | |
dup651, | |
dup652, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup656, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2399, | |
]), | |
}); | |
var all623 = all_match({ | |
processors: [ | |
dup651, | |
dup2116, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2117, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2400, | |
]), | |
}); | |
var all624 = all_match({ | |
processors: [ | |
dup651, | |
dup2116, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2118, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2400, | |
]), | |
}); | |
var msg1483 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup358, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1484 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup589, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all625 = all_match({ | |
processors: [ | |
dup207, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup2134, | |
dup2340, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all626 = all_match({ | |
processors: [ | |
dup207, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup210, | |
dup2340, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1485 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1364, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1486 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} - user: %{username} aaa authentication started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1368, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1487 = match({ | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface} - user: %{username} aaa authentication %{disposition}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1212, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all627 = all_match({ | |
processors: [ | |
dup8, | |
dup4, | |
dup9, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup11, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP Tunnel created"), | |
}), | |
]), | |
}); | |
var all628 = all_match({ | |
processors: [ | |
dup1534, | |
dup1535, | |
dup1536, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1537, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP tunnel deleted"), | |
}), | |
]), | |
}); | |
var all629 = all_match({ | |
processors: [ | |
dup714, | |
dup1793, | |
dup1794, | |
dup1795, | |
dup1796, | |
dup1778, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1797, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("L2TP tunnel created"), | |
}), | |
]), | |
}); | |
var all630 = all_match({ | |
processors: [ | |
dup714, | |
dup715, | |
dup716, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup717, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("L2TP tunnel deleted"), | |
}), | |
]), | |
}); | |
var all631 = all_match({ | |
processors: [ | |
dup1263, | |
dup1080, | |
dup1264, | |
dup161, | |
dup1265, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1266, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP tunnel created"), | |
}), | |
]), | |
}); | |
var all632 = all_match({ | |
processors: [ | |
dup1079, | |
dup1080, | |
dup1081, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1082, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown PPPOE tunnel"), | |
}), | |
]), | |
}); | |
var msg1488 = match({ | |
dissect: { | |
tokenizer: "DHCP client interface %{interface}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup822, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1489 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup1278, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all633 = all_match({ | |
processors: [ | |
dup2102, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup2103, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1490 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup477, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1491 = match({ | |
dissect: { | |
tokenizer: "HTTP daemon interface %{interface}: connection denied from %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1378, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1492 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2218, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all634 = all_match({ | |
processors: [ | |
dup569, | |
dup570, | |
dup571, | |
dup572, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup574, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Login failed"), | |
}), | |
]), | |
}); | |
var all635 = all_match({ | |
processors: [ | |
dup636, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup637, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup2401, | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: dup2401, | |
}), | |
]), | |
}); | |
var all636 = all_match({ | |
processors: [ | |
dup638, | |
dup417, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup639, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all637 = all_match({ | |
processors: [ | |
dup185, | |
dup186, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup187, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Login permitted"), | |
}), | |
]), | |
}); | |
var all638 = all_match({ | |
processors: [ | |
dup188, | |
dup186, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup189, | |
dup2321, | |
dup2335, | |
dup2320, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all639 = all_match({ | |
processors: [ | |
dup139, | |
dup140, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup142, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PDM/ASDM session started"), | |
}), | |
]), | |
}); | |
var all640 = all_match({ | |
processors: [ | |
dup139, | |
dup775, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup776, | |
dup2302, | |
dup2334, | |
dup2301, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PDM/ASDM session ended"), | |
}), | |
]), | |
}); | |
var msg1493 = match({ | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid} from %{hostip} started %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
dup1152, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ASDM loggingsession started"), | |
}), | |
]), | |
}); | |
var msg1494 = match({ | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid} from %{hostip} ended", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1954, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1495 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate SIP %{fld1} secondary channel for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1413, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1496 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1} secondary channel for %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2270, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1497 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1} secondary channel for %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} from %{info} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2271, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1498 = match({ | |
dissect: { | |
tokenizer: "Built local-host %{interface}:%{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup404, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all641 = all_match({ | |
processors: [ | |
dup1405, | |
dup1406, | |
dup1407, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1408, | |
dup2302, | |
dup2313, | |
dup2316, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2352, | |
]), | |
}); | |
var msg1499 = match({ | |
dissect: { | |
tokenizer: "%{service} daemon interface %{interface}: Packet denied from %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1153, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Packet denied"), | |
}), | |
]), | |
}); | |
var msg1500 = match({ | |
dissect: { | |
tokenizer: "%{service} daemon interface %{interface}: Authentication failed for packet from %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup183, | |
dup2001, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authentication failed"), | |
}), | |
]), | |
}); | |
var all642 = all_match({ | |
processors: [ | |
dup1930, | |
dup570, | |
dup1931, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup1932, | |
dup2325, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all643 = all_match({ | |
processors: [ | |
dup1660, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1661, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2402, | |
]), | |
}); | |
var all644 = all_match({ | |
processors: [ | |
dup1662, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup141, | |
dup1663, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2402, | |
]), | |
}); | |
var all645 = all_match({ | |
processors: [ | |
dup1509, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup89, | |
dup1510, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2403, | |
]), | |
}); | |
var all646 = all_match({ | |
processors: [ | |
dup954, | |
dup4, | |
], | |
on_success: processor_chain([ | |
dup955, | |
dup956, | |
dup2340, | |
dup2321, | |
dup2404, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User logged out"), | |
}), | |
]), | |
}); | |
var msg1501 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup430, | |
dup1294, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1502 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with no split %{space} tunneling: NAT addr: %{stransaddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1017, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2405, | |
]), | |
}); | |
var msg1503 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with no split tunneling%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup2176, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2406, | |
]), | |
}); | |
var msg1504 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with split tunneling: NAT addr: %{stransaddr} Split Tunnel Networks:", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup122, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2405, | |
]), | |
}); | |
var msg1505 = match({ | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with split tunneling: Split Tunnel Networks:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1305, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2406, | |
]), | |
}); | |
var msg1506 = match({ | |
dissect: { | |
tokenizer: "VPNClient: DHCP Policy installed:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup1089, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2407, | |
]), | |
}); | |
var msg1507 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Perfect Forward Secrecy Policy installed%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup121, | |
dup2214, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2407, | |
]), | |
}); | |
var msg1508 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Head end : %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1571, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1509 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Split DNS Policy installed: List of domains:%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1123, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2407, | |
]), | |
}); | |
var msg1510 = match({ | |
dissect: { | |
tokenizer: "VPNClient: Disconnecting from head end and uninstalling previously downloaded policy: Head End : %{hostip}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup1396, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("head end disconnect"), | |
}), | |
]), | |
}); | |
var msg1511 = match({ | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Succeeded: Peer: %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup532, | |
dup718, | |
dup2340, | |
dup2320, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("XAUTH Succeeded"), | |
}), | |
]), | |
}); | |
var msg1512 = match({ | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Failed: Peer: %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup892, | |
dup2340, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("XAUTH failed"), | |
}), | |
]), | |
}); | |
var msg1513 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1496, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1514 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2192, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1515 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1503, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1516 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1430, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1517 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup1195, | |
dup2340, | |
dup2296, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1518 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup543, | |
dup2340, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1519 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup686, | |
dup2340, | |
dup2296, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1520 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup233, | |
dup2340, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1521 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup685, | |
dup1139, | |
dup2340, | |
dup2296, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1522 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup232, | |
dup1461, | |
dup2340, | |
dup2295, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1523 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup237, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1524 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1514, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1525 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup1911, | |
dup2292, | |
dup2290, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all647 = all_match({ | |
processors: [ | |
dup1850, | |
dup4, | |
dup1851, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1852, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1526 = match({ | |
dissect: { | |
tokenizer: "Auto Update failed to contact:%{url}, reason:%{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1083, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1527 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1016, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1528 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup837, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1529 = match({ | |
dissect: { | |
tokenizer: "%{hostip} changed from area %{fld1} to area %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup143, | |
dup2290, | |
dup2292, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1530 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2278, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1531 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2193, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1532 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1470, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1533 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1534 = match({ | |
dissect: { | |
tokenizer: "Pre-allocate MGCP %{fld1} connection for %{sinterface}:%{saddr} to %{dinterface}:%{daddr}/%{dport} from %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup419, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2408, | |
]), | |
}); | |
var msg1535 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup420, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1536 = match({ | |
dissect: { | |
tokenizer: "GTPv version %{fld1} from %{sinterface}:%{saddr}/%{sport} not accepted by %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1701, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("GTP version not accepted"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all648 = all_match({ | |
processors: [ | |
dup190, | |
dup191, | |
dup192, | |
], | |
on_success: processor_chain([ | |
dup193, | |
dup194, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1537 = match({ | |
dissect: { | |
tokenizer: "Removing v1 PDP Context with TID %{fld1} from GGSN %{fld2} and SGSN %{fld3}, Reason: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup195, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1538 = match({ | |
dissect: { | |
tokenizer: "GTP Tunnel created from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup357, | |
dup1288, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTP tunnel created"), | |
}), | |
]), | |
}); | |
var msg1539 = match({ | |
dissect: { | |
tokenizer: "GTP connection created for response from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup838, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTP connection created"), | |
}), | |
]), | |
}); | |
var all649 = all_match({ | |
processors: [ | |
dup2203, | |
dup2204, | |
dup2205, | |
dup1916, | |
dup1917, | |
dup1918, | |
dup2206, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2207, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2408, | |
]), | |
}); | |
var msg1540 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2208, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1541 = match({ | |
dissect: { | |
tokenizer: "Unsupported CTIQBE version: %{fld1}: from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup229, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1542 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup230, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all650 = all_match({ | |
processors: [ | |
dup318, | |
dup319, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup320, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Adding/Removing tracked route on interface"), | |
}), | |
]), | |
}); | |
var msg1543 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1821, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1544 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup544, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all651 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup520, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup521, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2409, | |
]), | |
}); | |
var all652 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup522, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup523, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2409, | |
]), | |
}); | |
var all653 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup1236, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1237, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2410, | |
]), | |
}); | |
var all654 = all_match({ | |
processors: [ | |
dup518, | |
dup519, | |
dup1238, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1239, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2410, | |
]), | |
}); | |
var all655 = all_match({ | |
processors: [ | |
dup947, | |
dup948, | |
dup949, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup950, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2411, | |
]), | |
}); | |
var all656 = all_match({ | |
processors: [ | |
dup947, | |
dup948, | |
dup951, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup952, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2411, | |
]), | |
}); | |
var all657 = all_match({ | |
processors: [ | |
dup518, | |
dup786, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup900, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2412, | |
]), | |
}); | |
var all658 = all_match({ | |
processors: [ | |
dup518, | |
dup786, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup901, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2412, | |
]), | |
}); | |
var all659 = all_match({ | |
processors: [ | |
dup785, | |
dup786, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup787, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2412, | |
]), | |
}); | |
var all660 = all_match({ | |
processors: [ | |
dup785, | |
dup786, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup788, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2412, | |
]), | |
}); | |
var all661 = all_match({ | |
processors: [ | |
dup1140, | |
dup1141, | |
dup1142, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup1143, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2413, | |
]), | |
}); | |
var all662 = all_match({ | |
processors: [ | |
dup1140, | |
dup1141, | |
dup1144, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup1145, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2413, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1545 = match({ | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{saddr} (initiator), remote %{daddr}, message-ID %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup697, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2414, | |
]), | |
}); | |
var msg1546 = match({ | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{daddr} (responder), remote %{saddr}, message-ID %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup698, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2414, | |
]), | |
}); | |
var all663 = all_match({ | |
processors: [ | |
dup1471, | |
dup824, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1579, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
dup2415, | |
]), | |
}); | |
var all664 = all_match({ | |
processors: [ | |
dup1471, | |
dup824, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1580, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2415, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all665 = all_match({ | |
processors: [ | |
dup823, | |
dup824, | |
dup655, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup825, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2415, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all666 = all_match({ | |
processors: [ | |
dup823, | |
dup824, | |
dup653, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup826, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2415, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all667 = all_match({ | |
processors: [ | |
dup1471, | |
dup1472, | |
dup1473, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1474, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2416, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all668 = all_match({ | |
processors: [ | |
dup1471, | |
dup1472, | |
dup1475, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1476, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2416, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all669 = all_match({ | |
processors: [ | |
dup823, | |
dup1472, | |
dup1473, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2104, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2416, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all670 = all_match({ | |
processors: [ | |
dup823, | |
dup1472, | |
dup1475, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2105, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2416, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all671 = all_match({ | |
processors: [ | |
dup518, | |
dup1107, | |
dup1108, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1109, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2417, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all672 = all_match({ | |
processors: [ | |
dup518, | |
dup1107, | |
dup1110, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1111, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2286, | |
dup2287, | |
dup2417, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1547 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup719, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1548 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1357, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1549 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1877, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all673 = all_match({ | |
processors: [ | |
dup1983, | |
dup208, | |
dup209, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1984, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1550 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup489, | |
dup1188, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1551 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1686, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1552 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2251, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1553 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1243, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1554 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2215, | |
dup2290, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1555 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1944, | |
dup2290, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1556 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1902, | |
dup2290, | |
dup2291, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1557 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup295, | |
dup2290, | |
dup2291, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1558 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1759, | |
dup2290, | |
dup2291, | |
dup2314, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Configuration replication failure"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1559 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1897, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Configuration may be out of sync"), | |
}), | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1560 = match({ | |
dissect: { | |
tokenizer: "%{protocol} access requested from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup702, | |
dup2313, | |
dup2302, | |
set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Request"), | |
}), | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access requested"), | |
}), | |
]), | |
}); | |
var msg1561 = match({ | |
dissect: { | |
tokenizer: "%{service}%{service}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all674 = all_match({ | |
processors: [ | |
dup2184, | |
dup2185, | |
msg1561, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup2186, | |
dup2313, | |
dup2302, | |
dup2324, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access permitted"), | |
}), | |
]), | |
}); | |
var msg1562 = match({ | |
dissect: { | |
tokenizer: "%{protocol} access denied by ACL from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup349, | |
dup1966, | |
dup2313, | |
dup2302, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("access denied"), | |
}), | |
]), | |
}); | |
var msg1563 = match({ | |
dissect: { | |
tokenizer: "%{protocol} connection limit exceeded from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1866, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1564 = match({ | |
dissect: { | |
tokenizer: "%{protocol} request discarded from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup990, | |
dup2313, | |
dup2302, | |
dup2300, | |
dup2286, | |
dup2312, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2418, | |
]), | |
}); | |
var msg1565 = match({ | |
dissect: { | |
tokenizer: "%{protocol} request discarded from %{saddr} to %{dinterface}:%{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup505, | |
dup2313, | |
dup2302, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2303, | |
dup2418, | |
]), | |
}); | |
var msg1566 = match({ | |
dissect: { | |
tokenizer: "NAT-T keepalive received from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup843, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT-T keepalive received"), | |
}), | |
]), | |
}); | |
var msg1567 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup51, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1568 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup47, | |
dup1295, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all675 = all_match({ | |
processors: [ | |
dup1742, | |
], | |
on_success: processor_chain([ | |
dup1743, | |
dup1744, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1569 = match({ | |
dissect: { | |
tokenizer: "IP = %{daddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1702, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1570 = match({ | |
dissect: { | |
tokenizer: "Group = %{host}, IP = %{daddr}, Unknown identification type, Phase %{fld1}, Type %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1751, | |
dup1752, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1571 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description} payload: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup943, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all676 = all_match({ | |
processors: [ | |
dup31, | |
dup973, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup974, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all677 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup704, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup705, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1572 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup706, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all678 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup400, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup401, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1573 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup402, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all679 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup400, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup671, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1574 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup672, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all680 = all_match({ | |
processors: [ | |
dup144, | |
dup145, | |
dup146, | |
dup147, | |
dup148, | |
dup149, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup150, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2419, | |
]), | |
}); | |
var all681 = all_match({ | |
processors: [ | |
dup151, | |
dup152, | |
dup153, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup154, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2419, | |
]), | |
}); | |
var msg1575 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator unable to find policy: Intf %{interface}, Src: %{saddr}, Dst: %{daddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1296, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all682 = all_match({ | |
processors: [ | |
dup99, | |
dup1549, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1550, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Error processing payload"), | |
}), | |
]), | |
}); | |
var all683 = all_match({ | |
processors: [ | |
dup421, | |
dup1687, | |
dup1688, | |
dup1689, | |
dup1690, | |
dup1691, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1692, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security negotiation complete"), | |
}), | |
]), | |
}); | |
var all684 = all_match({ | |
processors: [ | |
dup421, | |
dup422, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup423, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all685 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1283, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup1284, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User authenticated"), | |
}), | |
]), | |
}); | |
var all686 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup13, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup15, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2420, | |
]), | |
}); | |
var all687 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup13, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup524, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2420, | |
]), | |
}); | |
var msg1576 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr} , %{action}:%{info} on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1538, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("no matching crypto map entry"), | |
}), | |
]), | |
}); | |
var all688 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1455, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1456, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1577 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Remote Peer configured for crypto map: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1457, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all689 = all_match({ | |
processors: [ | |
dup664, | |
dup1588, | |
dup1589, | |
dup1590, | |
dup1591, | |
dup1592, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1593, | |
dup2340, | |
dup2421, | |
dup2422, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received non-routine Notify message"), | |
}), | |
]), | |
}); | |
var all690 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1798, | |
], | |
on_success: processor_chain([ | |
dup1799, | |
dup1800, | |
dup2340, | |
dup2321, | |
set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Password"), | |
}), | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Password for user "), | |
}), | |
]), | |
}); | |
var msg1578 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Responder forcing change of %{ike} rekeying duration from %{fld1} to %{fld2} seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup342, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var msg1579 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup777, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var all691 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup213, | |
dup214, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup216, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all692 = all_match({ | |
processors: [ | |
dup217, | |
dup218, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup219, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1580 = match({ | |
dissect: { | |
tokenizer: "%{event_description} from %{fld1} to %{fld2} kbs %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1581 = match({ | |
dissect: { | |
tokenizer: "%{event_description} %{p2}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select184 = linear_select([ | |
msg1580, | |
msg1581, | |
]); | |
var all693 = all_match({ | |
processors: [ | |
dup778, | |
dup779, | |
select184, | |
], | |
on_success: processor_chain([ | |
dup215, | |
dup780, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1582 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1864, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1583 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1745, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1584 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, IP address request attempt failed!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup763, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP address request attempt failed"), | |
}), | |
]), | |
}); | |
var all694 = all_match({ | |
processors: [ | |
dup1184, | |
dup1185, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1186, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received Invalid SPI notify"), | |
}), | |
]), | |
}); | |
var msg1585 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1853, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1586 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{event_description}%{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all695 = all_match({ | |
processors: [ | |
dup1693, | |
msg1586, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1694, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1587 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup17, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1588 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Keep-alives configured %{fld1} but peer does not support keep-alives (type = %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup492, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1589 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup699, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2424, | |
]), | |
}); | |
var msg1590 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup700, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2424, | |
]), | |
}); | |
var msg1591 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received DPD sequence number %{fld1} in R_U_THERE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1985, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received DPD sequence number"), | |
}), | |
]), | |
}); | |
var msg1592 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Xauth required but selected Proposal does not support xauth, %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup435, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Xauth required but selected Proposal does not support xauth"), | |
}), | |
]), | |
}); | |
var msg1593 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup390, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2425, | |
]), | |
}); | |
var msg1594 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
dup391, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2425, | |
]), | |
}); | |
var msg1595 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} payload type: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup1768, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all696 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1002, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all697 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup830, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1596 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received unknown transaction mode attribute: %{change_attribute}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup831, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received unknown transaction mode attribute"), | |
}), | |
]), | |
}); | |
var all698 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1369, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all699 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1064, | |
], | |
on_success: processor_chain([ | |
dup316, | |
dup1065, | |
dup2340, | |
dup2290, | |
dup2291, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1597 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Mismatch: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1664, | |
dup2340, | |
dup2290, | |
dup2291, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("algorithm mismatch"), | |
}), | |
]), | |
}); | |
var msg1598 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{action} [%{fld1}]]", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all700 = all_match({ | |
processors: [ | |
dup1442, | |
msg1598, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1443, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all701 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1207, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1208, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1599 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} refCnt [%{fld1}] and tunnelCnt [%{fld2}] -- deleting SA!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1209, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1600 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1010, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1601 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1682, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1602 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, Detected Hardware Client in network extension mode, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1991, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Detected Hardware Client in network extension mode"), | |
}), | |
]), | |
}); | |
var msg1603 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{result}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1912, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2426, | |
]), | |
}); | |
var msg1604 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, Hardware client security attribute %{change_attribute} was enabled but not requested", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup879, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Hardware client security attribute was enabled but not requested"), | |
}), | |
]), | |
}); | |
var msg1605 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup37, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2426, | |
]), | |
}); | |
var msg1606 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup38, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2426, | |
]), | |
}); | |
var msg1607 = match({ | |
dissect: { | |
tokenizer: "Username = %{username}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup39, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2426, | |
]), | |
}); | |
var all702 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1801, | |
], | |
on_success: processor_chain([ | |
dup81, | |
dup1802, | |
dup2340, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2427, | |
]), | |
}); | |
var msg1608 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Remote peer has failed user authentication - %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1803, | |
dup2340, | |
dup2321, | |
dup2320, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2427, | |
]), | |
}); | |
var msg1609 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Received delete for rekeyed SA %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup341, | |
dup1084, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE received delete message from remote peer"), | |
}), | |
]), | |
}); | |
var msg1610 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Received delete for rekeyed centry %{space} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup707, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE received delete for rekeyed centry"), | |
}), | |
]), | |
}); | |
var all703 = all_match({ | |
processors: [ | |
dup1335, | |
dup1336, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1337, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all704 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1804, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1805, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1611 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Client Type: %{product} Client Application Version: %{version}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1806, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1612 = match({ | |
dissect: { | |
tokenizer: "Received packet with missing payload, Expected payload: %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup43, | |
dup2106, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all705 = all_match({ | |
processors: [ | |
dup1370, | |
dup1371, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1372, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all706 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1967, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all707 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup979, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all708 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup980, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1613 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2187, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all709 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup526, | |
dup527, | |
], | |
on_success: processor_chain([ | |
dup528, | |
dup529, | |
dup2340, | |
dup2380, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1614 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Tunnel Rejected: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1572, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup2428, | |
}), | |
]), | |
}); | |
var msg1615 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr},%{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup398, | |
dup1306, | |
dup2340, | |
dup2380, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Adding static router for peer"), | |
}), | |
]), | |
}); | |
var all710 = all_match({ | |
processors: [ | |
dup99, | |
dup436, | |
], | |
on_success: processor_chain([ | |
dup437, | |
dup438, | |
dup2340, | |
dup2333, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleting static router for peer"), | |
}), | |
]), | |
}); | |
var msg1616 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1840, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1617 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP %{saddr}, Rule: %{fld1} Client: %{fld2} - allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1657, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2429, | |
]), | |
}); | |
var msg1618 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP %{saddr}, Rule: %{fld1} OS : %{fld3} Client: %{fld2} - NOT allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1492, | |
dup1658, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2429, | |
]), | |
}); | |
var all711 = all_match({ | |
processors: [ | |
dup2032, | |
dup2033, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2034, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("messages enqueued"), | |
}), | |
]), | |
}); | |
var msg1619 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, De-queuing KEY-ACQUIRE messages that were left pending", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1060, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("pending messages dequeued"), | |
}), | |
]), | |
}); | |
var msg1620 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2122, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2430, | |
]), | |
}); | |
var msg1621 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map = %{fld1}, seq = %{fld2}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup475, | |
dup646, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2430, | |
]), | |
}); | |
var msg1622 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map = %{fld1}, seq = %{fld2}, no ACL configured", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup1820, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Static Crypto Map check - no ACL configured"), | |
}), | |
]), | |
}); | |
var msg1623 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Static Crypto Map check, map %{fld1}, seq = %{fld2} is a successful match", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1949, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2430, | |
]), | |
}); | |
var msg1624 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action} for peer %{fld1}. %{fld2}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2262, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all712 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1539, | |
], | |
on_success: processor_chain([ | |
dup1540, | |
dup1541, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1625 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1724, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Notification to client of update string"), | |
}), | |
]), | |
}); | |
var msg1626 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Internal Error, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1146, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all713 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup1854, | |
], | |
on_success: processor_chain([ | |
dup1855, | |
dup1856, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all714 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1018, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1020, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1627 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}. %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1021, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all715 = all_match({ | |
processors: [ | |
dup1992, | |
dup1993, | |
dup1994, | |
dup1995, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1996, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE_DECODE Message"), | |
}), | |
]), | |
}); | |
var msg1628 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received DH key with bad length: received length=%{observed_val} expected length=%{expected_val}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup52, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received DH key with bad length"), | |
}), | |
]), | |
}); | |
var all716 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1431, | |
], | |
on_success: processor_chain([ | |
dup1432, | |
dup1433, | |
dup2340, | |
dup2421, | |
dup2422, | |
dup2320, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received authentication failure message"), | |
}), | |
]), | |
}); | |
var msg1629 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received %{protocol} Aggressive Mode message %{fld1} with unknown tunnel group name '%{group}'.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1444, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1630 = match({ | |
dissect: { | |
tokenizer: "Phase %{fld1} failure: Mismatched attribute types for class %{process}: Rcv'd: %{fld2} Cfg'd: %{fld3}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup392, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Mismatched attribute types for class"), | |
}), | |
]), | |
}); | |
var all717 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup578, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup580, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2431, | |
]), | |
}); | |
var all718 = all_match({ | |
processors: [ | |
dup99, | |
dup581, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup582, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2431, | |
]), | |
}); | |
var all719 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup578, | |
], | |
on_success: processor_chain([ | |
dup579, | |
dup583, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2431, | |
]), | |
}); | |
var msg1631 = match({ | |
dissect: { | |
tokenizer: "ike_DelOldCentryAndCreateNew(): %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1716, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ike_DelOldCentryAndCreateNew mismatch"), | |
}), | |
]), | |
}); | |
var all720 = all_match({ | |
processors: [ | |
dup1527, | |
dup1717, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1718, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1632 = match({ | |
dissect: { | |
tokenizer: "Unable to contruct xauth message, no message%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1719, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all721 = all_match({ | |
processors: [ | |
dup1824, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1825, | |
dup2340, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1633 = match({ | |
dissect: { | |
tokenizer: "%{saddr}, %{action} (P2 struct %{fld11}, mess id %{fld12})!)!", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all722 = all_match({ | |
processors: [ | |
dup1826, | |
msg1633, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1827, | |
dup2340, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1634 = match({ | |
dissect: { | |
tokenizer: "%{saddr} , %{action}%{action}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all723 = all_match({ | |
processors: [ | |
dup1826, | |
msg1634, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup1828, | |
dup2340, | |
dup2290, | |
dup2291, | |
dup2299, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all724 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2156, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2157, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all725 = all_match({ | |
processors: [ | |
dup2158, | |
dup2159, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2160, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1635 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr} , %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup2161, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all726 = all_match({ | |
processors: [ | |
dup2162, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2163, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Runt ISAKMP packet discarded on Port"), | |
}), | |
]), | |
}); | |
var msg1636 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Received an un-encrypted AUTH_FAILED notify message, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup958, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an un-encrypted AUTH_FAILED notify message"), | |
}), | |
]), | |
}); | |
var msg1637 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received encrypted packet with no matching SA, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup959, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received encrypted packet with no matching SA"), | |
}), | |
]), | |
}); | |
var msg1638 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Received an un-encrypted %{obj_type} notify message, %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup960, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an un-encrypted notify message"), | |
}), | |
]), | |
}); | |
var msg1639 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, No crypto map bound to interface... %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup961, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No crypto map bound to interface"), | |
}), | |
]), | |
}); | |
var msg1640 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup962, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1641 = match({ | |
dissect: { | |
tokenizer: "%{event_description}%{event_description}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all727 = all_match({ | |
processors: [ | |
dup963, | |
msg1641, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup964, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1642 = match({ | |
dissect: { | |
tokenizer: "IKE port %{network_port} for IPSec UDP already reserved on interface %{interface}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup96, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE port for IPSec UDP already reserved on interface"), | |
}), | |
]), | |
}); | |
var all728 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup98, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all729 = all_match({ | |
processors: [ | |
dup99, | |
dup100, | |
dup101, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup102, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var msg1643 = match({ | |
dissect: { | |
tokenizer: "INFO: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup103, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all730 = all_match({ | |
processors: [ | |
dup104, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup105, | |
dup2340, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all731 = all_match({ | |
processors: [ | |
dup393, | |
dup1672, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1673, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all732 = all_match({ | |
processors: [ | |
dup396, | |
dup1674, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1675, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all733 = all_match({ | |
processors: [ | |
dup1676, | |
dup1677, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1678, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1644 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1679, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1645 = match({ | |
dissect: { | |
tokenizer: "OBSOLETE DESCRIPTOR - INDEX %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup30, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("OBSOLETE DESCRIPTOR"), | |
}), | |
]), | |
}); | |
var msg1646 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1652, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1647 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator starting QM: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1653, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator starting QM"), | |
}), | |
]), | |
}); | |
var msg1648 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup457, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1649 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup40, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1650 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator sending 1st QM pkt: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup42, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator sending 1st QM pkt"), | |
}), | |
]), | |
}); | |
var all734 = all_match({ | |
processors: [ | |
dup31, | |
dup32, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup34, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1651 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1375, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1652 = match({ | |
dissect: { | |
tokenizer: "IKE Initiator sending 3rd QM pkt: msg id = %{fld1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1376, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator sending 3rd QM pkt"), | |
}), | |
]), | |
}); | |
var msg1653 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKE Initiator sending Initial Contact", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1762, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sending initial contact"), | |
}), | |
]), | |
}); | |
var all735 = all_match({ | |
processors: [ | |
dup1527, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1528, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all736 = all_match({ | |
processors: [ | |
dup1529, | |
dup1530, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1531, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all737 = all_match({ | |
processors: [ | |
dup1833, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1834, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all738 = all_match({ | |
processors: [ | |
dup664, | |
dup1071, | |
dup1072, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1073, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1654 = match({ | |
dissect: { | |
tokenizer: "IKE got SPI from key engine: SPI = %{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1074, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE got SPI from key engine"), | |
}), | |
]), | |
}); | |
var all739 = all_match({ | |
processors: [ | |
dup664, | |
dup1071, | |
dup1072, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1414, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2380, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1655 = match({ | |
dissect: { | |
tokenizer: "IKE got a KEY_ADD msg for SA: SPI = %{dst_spi}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1415, | |
dup1416, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2380, | |
dup2316, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE got a KEY_ADD msg for SA"), | |
}), | |
]), | |
}); | |
var all740 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup2080, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2081, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all741 = all_match({ | |
processors: [ | |
dup99, | |
dup2082, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup2083, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all742 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1720, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1721, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2432, | |
]), | |
}); | |
var msg1656 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, IKEGetUserAttributes: %{change_attribute} = %{change_new}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1722, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2432, | |
]), | |
}); | |
var all743 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1986, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1987, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all744 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup666, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1543, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all745 = all_match({ | |
processors: [ | |
dup664, | |
dup665, | |
dup666, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup667, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all746 = all_match({ | |
processors: [ | |
dup31, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2164, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all747 = all_match({ | |
processors: [ | |
dup324, | |
dup1670, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1671, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1657 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, Processing CONNECTED notify (MsgId %{fld1})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup844, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var msg1658 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1373, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1659 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, Starting IOS keepalive monitor: %{duration} sec.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2194, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var all748 = all_match({ | |
processors: [ | |
dup393, | |
dup394, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup395, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all749 = all_match({ | |
processors: [ | |
dup396, | |
dup394, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup397, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all750 = all_match({ | |
processors: [ | |
dup1695, | |
dup1696, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1697, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all751 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1196, | |
], | |
on_success: processor_chain([ | |
dup1019, | |
dup1197, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1660 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup369, | |
dup1198, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1661 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1703, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1662 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} of type %{event_description}, %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup458, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all752 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup975, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all753 = all_match({ | |
processors: [ | |
dup1583, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1584, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all754 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1585, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all755 = all_match({ | |
processors: [ | |
dup321, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1313, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all756 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1314, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all757 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup682, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all758 = all_match({ | |
processors: [ | |
dup321, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup323, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all759 = all_match({ | |
processors: [ | |
dup324, | |
dup322, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup325, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1663 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup196, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all760 = all_match({ | |
processors: [ | |
dup1316, | |
dup1317, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1318, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Old P1 SA is being deleted but new SA is DEAD"), | |
}), | |
]), | |
}); | |
var all761 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup1857, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1858, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1664 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, MODE_CFG: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1859, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all762 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup2035, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all763 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1462, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all764 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1788, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1665 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, NAT-Discovery payloads missing. Aborting NAT-Traversal.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup19, | |
dup2340, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var all765 = all_match({ | |
processors: [ | |
dup12, | |
dup4, | |
dup829, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1199, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1666 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup1200, | |
dup2340, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1667 = match({ | |
dissect: { | |
tokenizer: "IP = %{saddr}, %{action}. %{space} Reason: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
dup902, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1668 = match({ | |
dissect: { | |
tokenizer: "Group = %{group} IP = %{saddr}, %{action}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
dup2044, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all766 = all_match({ | |
processors: [ | |
dup99, | |
dup352, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup353, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all767 = all_match({ | |
processors: [ | |
dup478, | |
dup479, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup480, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all768 = all_match({ | |
processors: [ | |
dup53, | |
dup54, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup56, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1669 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup1988, | |
dup2340, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var msg1670 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup18, | |
dup35, | |
dup2340, | |
dup2292, | |
dup2290, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2423, | |
]), | |
}); | |
var msg1671 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{action} of type %{fld1} (seq number %{fld2})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup348, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all769 = all_match({ | |
processors: [ | |
dup789, | |
dup790, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup791, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all770 = all_match({ | |
processors: [ | |
dup510, | |
dup511, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup512, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var all771 = all_match({ | |
processors: [ | |
dup513, | |
dup514, | |
dup515, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup516, | |
dup2340, | |
dup2343, | |
dup2344, | |
dup2292, | |
dup2285, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
]), | |
}); | |
var msg1672 = match({ | |
dissect: { | |
tokenizer: "Group = %{group}, IP = %{saddr}, %{event_description}: %{duration} seconds.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup1365, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all772 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup657, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup658, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session started"), | |
}), | |
]), | |
}); | |
var all773 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup552, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup553, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session terminated"), | |
}), | |
]), | |
}); | |
var all774 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup852, | |
], | |
on_success: processor_chain([ | |
dup177, | |
dup853, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("WebVPN access GRANTED"), | |
}), | |
]), | |
}); | |
var all775 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup2084, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup2085, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("access DENIED"), | |
}), | |
]), | |
}); | |
var all776 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup530, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup531, | |
dup2340, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create session"), | |
}), | |
]), | |
}); | |
var msg1673 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{hostip}\u003e %{result}. ACL parse error", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1070, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ACL parse error"), | |
}), | |
]), | |
}); | |
var all777 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup997, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup998, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session could not be established"), | |
}), | |
]), | |
}); | |
var all778 = all_match({ | |
processors: [ | |
dup441, | |
dup442, | |
dup443, | |
dup444, | |
dup445, | |
dup446, | |
dup447, | |
dup448, | |
dup449, | |
dup450, | |
], | |
on_success: processor_chain([ | |
dup85, | |
dup451, | |
dup2320, | |
dup2321, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all779 = all_match({ | |
processors: [ | |
dup1344, | |
dup64, | |
dup1345, | |
dup1346, | |
dup1347, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup1348, | |
dup2320, | |
dup2321, | |
dup2300, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all780 = all_match({ | |
processors: [ | |
dup1349, | |
dup64, | |
dup65, | |
dup1346, | |
dup1350, | |
], | |
on_success: processor_chain([ | |
dup573, | |
dup1351, | |
dup2320, | |
dup2321, | |
dup2335, | |
dup2314, | |
dup2285, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session connection rejected"), | |
}), | |
]), | |
}); | |
var msg1674 = match({ | |
dissect: { | |
tokenizer: "access-list %{listnum} permit url %{url} hit-cnt %{dclass_counter1}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1769, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2319, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access-list permit url"), | |
}), | |
]), | |
}); | |
var all781 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup128, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup129, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Java applet started"), | |
}), | |
]), | |
}); | |
var all782 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1066, | |
], | |
on_success: processor_chain([ | |
dup1067, | |
dup1068, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1675 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{hostip}\u003e Error adding dynamic ACL for user", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1112, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Error adding dynamic ACL for user"), | |
}), | |
]), | |
}); | |
var msg1676 = match({ | |
dissect: { | |
tokenizer: "Group %{fld0} User %{username} IP %{saddr} %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1968, | |
dup2313, | |
dup2302, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1677 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect session lost connection. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1644, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect session lost connection"), | |
}), | |
]), | |
}); | |
var msg1678 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e AnyConnect session resumed connection from IP \u003c\u003c%{hostip}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup61, | |
dup1338, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect session resumed connection"), | |
}), | |
]), | |
}); | |
var msg1679 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1297, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1680 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1325, | |
dup1326, | |
dup2343, | |
dup2433, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1681 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup2086, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1682 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup107, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1683 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1358, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1684 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup860, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1685 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1654, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1686 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup243, | |
dup1955, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all783 = all_match({ | |
processors: [ | |
dup326, | |
], | |
on_success: processor_chain([ | |
dup327, | |
dup328, | |
dup2343, | |
dup2433, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1687 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1099, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1688 = match({ | |
dissect: { | |
tokenizer: "%{action} Issuer: %{dn}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2040, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1689 = match({ | |
dissect: { | |
tokenizer: "Certificate was successfully validated. %{result} serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1397, | |
dup1398, | |
dup2433, | |
dup2290, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Certificate successfully validated"), | |
}), | |
]), | |
}); | |
var msg1690 = match({ | |
dissect: { | |
tokenizer: "Checking CRL from trustpoint: %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup493, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1691 = match({ | |
dissect: { | |
tokenizer: "Validating certificate chain containing %{fld1} certificate(s)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup221, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Validating certificate chain"), | |
}), | |
]), | |
}); | |
var msg1692 = match({ | |
dissect: { | |
tokenizer: "Name lookup failed for hostname %{hostname} during PKI operation.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup261, | |
dup481, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Name lookup failed during PKI operation."), | |
}), | |
]), | |
}); | |
var msg1693 = match({ | |
dissect: { | |
tokenizer: "Certificate chain failed validation. %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup891, | |
dup1950, | |
dup2433, | |
dup2314, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Certificate chain failed validated"), | |
}), | |
]), | |
}); | |
var msg1694 = match({ | |
dissect: { | |
tokenizer: "Certificate chain was successfully validated %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1397, | |
dup2209, | |
dup2433, | |
dup2290, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Certificate chain successfully validated"), | |
}), | |
]), | |
}); | |
var msg1695 = match({ | |
dissect: { | |
tokenizer: "Identified client certificate within certificate chain. serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1477, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Identified client certificate"), | |
}), | |
]), | |
}); | |
var msg1696 = match({ | |
dissect: { | |
tokenizer: "%{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1022, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1697 = match({ | |
dissect: { | |
tokenizer: "%{application} response received.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup220, | |
dup1011, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("application response received"), | |
}), | |
]), | |
}); | |
var msg1698 = match({ | |
dissect: { | |
tokenizer: "Looking for a tunnel group match based on certificate maps for peer certificate with serial number: %{serial_number}, subject name: %{cert_subject}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup991, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1699 = match({ | |
dissect: { | |
tokenizer: "Tunnel group search using certificate maps failed for peer certificate: serial number: %{serial_number}, subject name: %{cert_subject} issuer_name: %{dn}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup845, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1700 = match({ | |
dissect: { | |
tokenizer: "Local CA Server internal error detected: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1708, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Local CA Server internal error detected"), | |
}), | |
]), | |
}); | |
var msg1701 = match({ | |
dissect: { | |
tokenizer: "Local CA Server CRL error: %{result}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1969, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Local CA Server CRL error"), | |
}), | |
]), | |
}); | |
var msg1702 = match({ | |
dissect: { | |
tokenizer: "The \u003c\u003c%{fld1}\u003e certificate in the trustpoint \u003c\u003c%{cert_hostname}\u003e has expired. Expiration \u003c\u003c%{fld2}\u003e Subject Name \u003c\u003c%{cert_subject}\u003e Issuer Name \u003c\u003c%{dn}\u003e Serial Number \u003c\u003c%{serial_number}\u003e", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1865, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("The certificate in the trustpoint has expired."), | |
}), | |
]), | |
}); | |
var msg1703 = match({ | |
dissect: { | |
tokenizer: "Fail to send to %{saddr} port %{sport}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup302, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Fail to send to host"), | |
}), | |
]), | |
}); | |
var msg1704 = match({ | |
dissect: { | |
tokenizer: "Sent HELLO response to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1898, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent HELLO response"), | |
}), | |
]), | |
}); | |
var msg1705 = match({ | |
dissect: { | |
tokenizer: "Received HELLO request from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup606, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received HELLO request"), | |
}), | |
]), | |
}); | |
var msg1706 = match({ | |
dissect: { | |
tokenizer: "Received HELLO response from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1763, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received HELLO response"), | |
}), | |
]), | |
}); | |
var msg1707 = match({ | |
dissect: { | |
tokenizer: "Sent KEEPALIVE response to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup57, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent KEEPALIVE response"), | |
}), | |
]), | |
}); | |
var msg1708 = match({ | |
dissect: { | |
tokenizer: "Received KEEPALIVE request from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup482, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received KEEPALIVE request"), | |
}), | |
]), | |
}); | |
var msg1709 = match({ | |
dissect: { | |
tokenizer: "Received KEEPALIVE response from [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1565, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received KEEPALIVE response"), | |
}), | |
]), | |
}); | |
var msg1710 = match({ | |
dissect: { | |
tokenizer: "Send OOS indicator failure to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1725, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Send OOS indicator failure"), | |
}), | |
]), | |
}); | |
var msg1711 = match({ | |
dissect: { | |
tokenizer: "Send TOPOLOGY indicator failure to [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1075, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent TOPOLOGY indicator failure"), | |
}), | |
]), | |
}); | |
var msg1712 = match({ | |
dissect: { | |
tokenizer: "Sent TOPOLOGY indicator to %{space} [%{daddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1704, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent TOPOLOGY indicator"), | |
}), | |
]), | |
}); | |
var msg1713 = match({ | |
dissect: { | |
tokenizer: "Process dead peer[%{peer}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1150, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Process dead"), | |
}), | |
]), | |
}); | |
var msg1714 = match({ | |
dissect: { | |
tokenizer: "Deleted peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2237, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted peer"), | |
}), | |
]), | |
}); | |
var msg1715 = match({ | |
dissect: { | |
tokenizer: "Created peer %{space}[%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup708, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Created peer"), | |
}), | |
]), | |
}); | |
var msg1716 = match({ | |
dissect: { | |
tokenizer: "Create group policy [%{policyname}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup155, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Create group policy"), | |
}), | |
]), | |
}); | |
var msg1717 = match({ | |
dissect: { | |
tokenizer: "Created secure tunnel to peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1124, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Created secure tunnel to peer"), | |
}), | |
]), | |
}); | |
var msg1718 = match({ | |
dissect: { | |
tokenizer: "Deleted secure tunnel to peer %{space} [%{saddr}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup616, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted secure tunnel to peer"), | |
}), | |
]), | |
}); | |
var msg1719 = match({ | |
dissect: { | |
tokenizer: "Deleted Master peer, IP %{saddr}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup354, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted Master peer"), | |
}), | |
]), | |
}); | |
var msg1720 = match({ | |
dissect: { | |
tokenizer: "State machine return code: %{result}, %{resultcode}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1244, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("State machine return code"), | |
}), | |
]), | |
}); | |
var msg1721 = match({ | |
dissect: { | |
tokenizer: "State machine function trace: state=%{category}, event=%{obj_type}, func=%{application}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2249, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("State machine function trace"), | |
}), | |
]), | |
}); | |
var msg1722 = match({ | |
dissect: { | |
tokenizer: "%{direction} thread is awake (context=%{context}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1366, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("thread is awake"), | |
}), | |
]), | |
}); | |
var msg1723 = match({ | |
dissect: { | |
tokenizer: "Start VPN Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1835, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Start VPN Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1724 = match({ | |
dissect: { | |
tokenizer: "Stop VPN Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup965, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Stop VPN Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1725 = match({ | |
dissect: { | |
tokenizer: "Becoming master of Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup439, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Becoming master of Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1726 = match({ | |
dissect: { | |
tokenizer: "Becoming slave of Load Balancing in context %{context}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup981, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Becoming slave of Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1727 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup839, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1728 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1267, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1729 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1169, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1730 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2257, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1731 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1924, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1732 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1051, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1733 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup106, | |
dup1705, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1734 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1087, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1735 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup247, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1736 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1488, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1737 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup764, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1738 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1298, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1739 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup1300, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1740 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup627, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1741 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2100, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1742 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup1463, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1743 = match({ | |
dissect: { | |
tokenizer: "Group %{group} User %{username} IP %{saddr} %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup222, | |
dup223, | |
dup2313, | |
dup2302, | |
dup2316, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1744 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup268, | |
dup1665, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1745 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1709, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1746 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup2216, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1747 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description} (function=%{fld1}, line=%{fld2}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2146, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1748 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup2025, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1749 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup130, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1750 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) Sending %{info} to standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup976, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all784 = all_match({ | |
processors: [ | |
dup1566, | |
dup1567, | |
dup1568, | |
], | |
on_success: processor_chain([ | |
dup767, | |
dup1569, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1751 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup1088, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1752 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup2101, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1753 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup263, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1754 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1404, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1755 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1772, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1756 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup378, | |
dup2258, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1757 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup406, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1758 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
dup277, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1759 = match({ | |
dissect: { | |
tokenizer: "(VPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup2107, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1760 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup709, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1761 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup131, | |
dup132, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1762 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
dup59, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1763 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1279, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1764 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) %{event_description}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup2090, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1765 = match({ | |
dissect: { | |
tokenizer: "(WebVPN-%{context}) Enable APCF XML file path %{filename} on the standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1848, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Enable APCF XML file path on standby unit"), | |
}), | |
]), | |
}); | |
var all785 = all_match({ | |
processors: [ | |
dup1319, | |
dup4, | |
dup1903, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup1904, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session created"), | |
}), | |
]), | |
}); | |
var all786 = all_match({ | |
processors: [ | |
dup1319, | |
dup4, | |
dup1320, | |
], | |
on_success: processor_chain([ | |
dup767, | |
dup1321, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session deleted"), | |
}), | |
]), | |
}); | |
var all787 = all_match({ | |
processors: [ | |
dup494, | |
dup495, | |
dup496, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup497, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all788 = all_match({ | |
processors: [ | |
dup494, | |
dup495, | |
dup496, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup1666, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1766 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e %{event_description}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup678, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1767 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Invalid address \u003c\u003c%{daddr}\u003e assigned to SVC connection", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup45, | |
dup781, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid address assigned to SVC connection"), | |
}), | |
]), | |
}); | |
var msg1768 = match({ | |
dissect: { | |
tokenizer: "%{info}/%{result}: %{event_description}%{event_description}%{event_description}%{event_description}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all789 = all_match({ | |
processors: [ | |
dup2223, | |
dup2224, | |
dup2225, | |
dup2226, | |
msg1768, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2227, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all790 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup2135, | |
dup2136, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup2137, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all791 = all_match({ | |
processors: [ | |
dup359, | |
dup64, | |
dup65, | |
dup360, | |
dup361, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup362, | |
dup2340, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No address available for SVC connection"), | |
}), | |
]), | |
}); | |
var all792 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup500, | |
dup501, | |
dup502, | |
], | |
on_success: processor_chain([ | |
dup55, | |
dup503, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2434, | |
]), | |
}); | |
var all793 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup1447, | |
dup501, | |
dup1448, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1449, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1769 = match({ | |
dissect: { | |
tokenizer: "SVC Global Compression Disabled%{}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup841, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all794 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup65, | |
dup66, | |
dup498, | |
dup499, | |
dup1425, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1426, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var all795 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1339, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1340, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Stale SVC connection closed"), | |
}), | |
]), | |
}); | |
var all796 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup683, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2435, | |
]), | |
}); | |
var all797 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup674, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2435, | |
]), | |
}); | |
var all798 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup673, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1085, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2435, | |
]), | |
}); | |
var all799 = all_match({ | |
processors: [ | |
dup127, | |
dup64, | |
dup1352, | |
dup1353, | |
dup1354, | |
], | |
on_success: processor_chain([ | |
dup33, | |
dup1355, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("replacing old connection"), | |
}), | |
]), | |
}); | |
var all800 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup2048, | |
dup499, | |
dup2049, | |
], | |
on_success: processor_chain([ | |
dup10, | |
dup2050, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2434, | |
]), | |
}); | |
var all801 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup224, | |
dup225, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup226, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("transmitting large packet"), | |
}), | |
]), | |
}); | |
var all802 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup224, | |
dup2210, | |
], | |
on_success: processor_chain([ | |
dup93, | |
dup2211, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("transmission error transmitting large packet"), | |
}), | |
]), | |
}); | |
var all803 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup67, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup69, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("closing connection"), | |
}), | |
]), | |
}); | |
var all804 = all_match({ | |
processors: [ | |
dup1544, | |
dup64, | |
dup65, | |
dup360, | |
dup1545, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup1546, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No IPv6 address available for SVC connection"), | |
}), | |
]), | |
}); | |
var all805 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup944, | |
], | |
on_success: processor_chain([ | |
dup285, | |
dup945, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DTLS disabled"), | |
}), | |
]), | |
}); | |
var msg1770 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Tunnel terminated: %{result}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup483, | |
dup484, | |
dup2288, | |
dup2289, | |
dup2286, | |
dup2287, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel terminated"), | |
}), | |
]), | |
}); | |
var all806 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1594, | |
], | |
on_success: processor_chain([ | |
dup68, | |
dup1595, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2436, | |
]), | |
}); | |
var msg1771 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003c%{saddr}\u003e Session terminated: %{info}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup29, | |
dup1147, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2436, | |
]), | |
}); | |
var all807 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1596, | |
dup1597, | |
dup1598, | |
dup1599, | |
dup1600, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1601, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("specific address is assigned to session"), | |
}), | |
]), | |
}); | |
var all808 = all_match({ | |
processors: [ | |
dup63, | |
dup64, | |
dup65, | |
dup66, | |
dup1602, | |
], | |
on_success: processor_chain([ | |
dup288, | |
dup1603, | |
dup2340, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
dup2437, | |
]), | |
}); | |
var all809 = all_match({ | |
processors: [ | |
dup1400, | |
dup1401, | |
dup1402, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1403, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unknown client connection"), | |
}), | |
]), | |
}); | |
var all810 = all_match({ | |
processors: [ | |
dup1478, | |
dup1479, | |
], | |
on_success: processor_chain([ | |
dup14, | |
dup1480, | |
dup2286, | |
dup2287, | |
dup2288, | |
dup2289, | |
]), | |
}); | |
var msg1772 = match({ | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group}\u003e User \u003c\u003c%{username}\u003e IP \u003c\u003 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment