Created
April 22, 2020 14:10
-
-
Save adriansr/550c9c9c0105fedd1dbd62472a140247 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
// or more contributor license agreements. Licensed under the Elastic License; | |
// you may not use this file except in compliance with the Elastic License. | |
var processor = require("processor"); | |
var console = require("console"); | |
var device; | |
// Register params from configuration. | |
function register(params) { | |
device = new DeviceProcessor(); | |
} | |
function process(evt) { | |
return device.process(evt); | |
} | |
function DeviceProcessor() { | |
var builder = new processor.Chain(); | |
builder.Add(save_flags); | |
builder.Add(chain1); | |
builder.Add(restore_flags); | |
var chain = builder.Build(); | |
return { | |
process: chain.Run, | |
} | |
} | |
var map_srcDirName = { | |
keyvaluepairs: { | |
"0": dup477, | |
"1": dup476, | |
}, | |
}; | |
var map_dstDirName = { | |
keyvaluepairs: { | |
"0": dup476, | |
"1": dup477, | |
}, | |
}; | |
var map_dir2SumType = { | |
keyvaluepairs: { | |
"0": constant("2"), | |
"1": constant("3"), | |
}, | |
"default": constant("0"), | |
}; | |
var map_dir2Address = { | |
keyvaluepairs: { | |
"0": field("saddr"), | |
"1": field("daddr"), | |
}, | |
"default": field("saddr"), | |
}; | |
var map_dir2Port = { | |
keyvaluepairs: { | |
"0": field("sport"), | |
"1": field("dport"), | |
}, | |
"default": field("sport"), | |
}; | |
var dup0 = set_field({ | |
dest: "nwparser.messageid", | |
value: constant("CISCOASA_GENERIC"), | |
}); | |
var dup1 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601000000"), | |
}); | |
var dup2 = call({ | |
dest: "nwparser.level", | |
fn: HDR, | |
args: [ | |
field("level"), | |
], | |
}); | |
var dup3 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dN,dU,dO], | |
}); | |
var dup4 = set_field({ | |
dest: "nwparser.msg", | |
value: field("$MSG"), | |
}); | |
var dup5 = call({ | |
dest: "nwparser.id", | |
fn: HDR, | |
args: [ | |
field("messageid"), | |
], | |
}); | |
var dup6 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501050100"), | |
}); | |
var dup7 = set_field({ | |
dest: "nwparser.event_type", | |
value: constant("VPN"), | |
}); | |
var dup8 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Static Crypto Map check"), | |
}); | |
var dup9 = match({ | |
id: "MESSAGE#1042:715077/0", | |
dissect: { | |
tokenizer: "%{->}Group = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup10 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603000000"), | |
}); | |
var dup11 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Encryption"), | |
}); | |
var dup12 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("CryptoKey"), | |
}); | |
var dup13 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Modify"), | |
}); | |
var dup14 = call({ | |
dest: "nwparser.", | |
fn: SYSVAL, | |
args: [ | |
field("$MSGID"), | |
field("$ID1"), | |
], | |
}); | |
var dup15 = match({ | |
id: "MESSAGE#192:113015/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup16 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301000000"), | |
}); | |
var dup17 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("User"), | |
}); | |
var dup18 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Authentication"), | |
}); | |
var dup19 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Failure"), | |
}); | |
var dup20 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605000000"), | |
}); | |
var dup21 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801000000"), | |
}); | |
var dup22 = match({ | |
id: "MESSAGE#872:713066/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup23 = linear_select([ | |
match({ | |
id: "MESSAGE#872:713066/2", | |
dissect: { | |
tokenizer: "'%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#872:713066/2", | |
dissect: { | |
tokenizer: "%{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup24 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204020000"), | |
}); | |
var dup25 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dH,dT,dS], | |
}); | |
var dup26 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020100"), | |
}); | |
var dup27 = call({ | |
dest: "nwparser.inout", | |
fn: DIRCHK, | |
args: [ | |
field("saddr"), | |
], | |
}); | |
var dup28 = lookup({ | |
dest: "nwparser.src_zone", | |
map: map_srcDirName, | |
key: field("inout"), | |
}); | |
var dup29 = lookup({ | |
dest: "nwparser.dst_zone", | |
map: map_dstDirName, | |
key: field("inout"), | |
}); | |
var dup30 = call({ | |
dest: "nwparser.sigcat", | |
fn: SYSVAL, | |
args: [ | |
field("$CATEGORY"), | |
], | |
}); | |
var dup31 = match({ | |
id: "MESSAGE#719:602304/0", | |
dissect: { | |
tokenizer: "%{service->}: An %{direction->} SA (SPI= %{fld1->}) between %{saddr->} and %{daddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup32 = linear_select([ | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "(user=%{username->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "(%{username->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "'%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "%{username->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup33 = match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "%{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup34 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030100"), | |
}); | |
var dup35 = date_times({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmts: [ | |
[dB,dF,dW,dN,dU,dO], | |
[dB,dF,dN,dU,dO], | |
], | |
}); | |
var dup36 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030000"), | |
}); | |
var dup37 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1604000000"), | |
}); | |
var dup38 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Configuration"), | |
}); | |
var dup39 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Configuration"), | |
}); | |
var dup40 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Success"), | |
}); | |
var dup41 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010000"), | |
}); | |
var dup42 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("ALM"), | |
}); | |
var dup43 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("NetworkComm"), | |
}); | |
var dup44 = match({ | |
id: "MESSAGE#921:713194/0", | |
dissect: { | |
tokenizer: "%{->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup45 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup46 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup47 = linear_select([ | |
match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup48 = match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup49 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603010000"), | |
}); | |
var dup50 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603040000"), | |
}); | |
var dup51 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1703000000"), | |
}); | |
var dup52 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020200"), | |
}); | |
var dup53 = match({ | |
id: "MESSAGE#1250:737031/0", | |
dissect: { | |
tokenizer: "%{process->}: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup54 = linear_select([ | |
match({ | |
id: "MESSAGE#1250:737031/2", | |
dissect: { | |
tokenizer: "Session=%{sessionid->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup55 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010100"), | |
}); | |
var dup56 = set_field({ | |
dest: "nwparser.service", | |
value: constant("IPSEC"), | |
}); | |
var dup57 = match({ | |
id: "MESSAGE#700:505015/1", | |
dissect: { | |
tokenizer: "%{application->}\", %{info->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup58 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605020000"), | |
}); | |
var dup59 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701060000"), | |
}); | |
var dup60 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Enable"), | |
}); | |
var dup61 = linear_select([ | |
match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "'%{username->}' from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "%{username->} from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup62 = match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup63 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401060000"), | |
}); | |
var dup64 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Permit"), | |
}); | |
var dup65 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("AccessControl"), | |
}); | |
var dup66 = linear_select([ | |
match({ | |
id: "MESSAGE#351:304001/2", | |
dissect: { | |
tokenizer: "'%{username->}' @%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#351:304001/2", | |
dissect: { | |
tokenizer: "%{username->} @%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup67 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204010000"), | |
}); | |
var dup68 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Accessed"), | |
}); | |
var dup69 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("HTTP"), | |
}); | |
var dup70 = call({ | |
dest: "nwparser.urldomain", | |
fn: URL, | |
args: [ | |
field("$DOMAIN"), | |
field("url"), | |
], | |
}); | |
var dup71 = call({ | |
dest: "nwparser.urlroot", | |
fn: URL, | |
args: [ | |
field("$ROOT"), | |
field("url"), | |
], | |
}); | |
var dup72 = call({ | |
dest: "nwparser.urlpage", | |
fn: URL, | |
args: [ | |
field("$PAGE"), | |
field("url"), | |
], | |
}); | |
var dup73 = call({ | |
dest: "nwparser.urlquery", | |
fn: URL, | |
args: [ | |
field("$QUERY"), | |
field("url"), | |
], | |
}); | |
var dup74 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020300"), | |
}); | |
var dup75 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603110000"), | |
}); | |
var dup76 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030300"), | |
}); | |
var dup77 = match({ | |
id: "MESSAGE#1046:716002/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup78 = linear_select([ | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "'%{username->}' IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "%{username->} IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup79 = match({ | |
id: "MESSAGE#992:715006/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup80 = linear_select([ | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}', IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup81 = match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "%{action->}: SPI = %{dst_spi->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup82 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020100"), | |
}); | |
var dup83 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1304000000"), | |
}); | |
var dup84 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050200"), | |
}); | |
var dup85 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1002000000"), | |
}); | |
var dup86 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1303000000"), | |
}); | |
var dup87 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Error"), | |
}); | |
var dup88 = match({ | |
id: "MESSAGE#804:702201:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 delete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup89 = linear_select([ | |
match({ | |
id: "MESSAGE#804:702201:01/2", | |
dissect: { | |
tokenizer: "d%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup90 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 delete received"), | |
}); | |
var dup91 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Remote peer has failed user authentication"), | |
}); | |
var dup92 = linear_select([ | |
match({ | |
id: "MESSAGE#1196:725009:01/2", | |
dissect: { | |
tokenizer: "server%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1196:725009:01/2", | |
dissect: { | |
tokenizer: "client%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup93 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device proposes cipher(s)"), | |
}); | |
var dup94 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805020000"), | |
}); | |
var dup95 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805000000"), | |
}); | |
var dup96 = match({ | |
id: "MESSAGE#143:109019/0", | |
dissect: { | |
tokenizer: "Downloaded ACL %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup97 = match({ | |
id: "MESSAGE#143:109019/2", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup98 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501040000"), | |
}); | |
var dup99 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Deny"), | |
}); | |
var dup100 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authorization denied"), | |
}); | |
var dup101 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803010000"), | |
}); | |
var dup102 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Communication"), | |
}); | |
var dup103 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session limit exceeded"), | |
}); | |
var dup104 = linear_select([ | |
match({ | |
id: "MESSAGE#170:111006/2", | |
dissect: { | |
tokenizer: "'%{username->}' at %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#170:111006/2", | |
dissect: { | |
tokenizer: "%{username->} at %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup105 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050100"), | |
}); | |
var dup106 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logon"), | |
}); | |
var dup107 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701030000"), | |
}); | |
var dup108 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Delete"), | |
}); | |
var dup109 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1103000000"), | |
}); | |
var dup110 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No translation group found"), | |
}); | |
var dup111 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("icmp"), | |
}); | |
var dup112 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Web Cache acquired"), | |
}); | |
var dup113 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1002020000"), | |
}); | |
var dup114 = match({ | |
id: "MESSAGE#291:302012/0", | |
dissect: { | |
tokenizer: "%{->}Pre%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup115 = linear_select([ | |
match({ | |
id: "MESSAGE#291:302012/2", | |
dissect: { | |
tokenizer: "-%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup116 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection pre-allocated"), | |
}); | |
var dup117 = linear_select([ | |
match({ | |
id: "MESSAGE#751:610101/2", | |
dissect: { | |
tokenizer: "ed%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#751:610101/2", | |
dissect: { | |
tokenizer: "ure%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup118 = match({ | |
id: "MESSAGE#591:405102/0", | |
dissect: { | |
tokenizer: "Unable to Pre%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup119 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "oreign_address%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "addr%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup120 = match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "%{->} %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup121 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/6", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to l%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/6", | |
dissect: { | |
tokenizer: "%{saddr->} to l%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup122 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "ocal_address%{p6->}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "addr%{p6->}", | |
field: "nwparser.p5", | |
}, | |
}), | |
]); | |
var dup123 = match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "%{->} %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var dup124 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/8", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} ", | |
field: "nwparser.p7", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/8", | |
dissect: { | |
tokenizer: "%{daddr->} ", | |
field: "nwparser.p7", | |
}, | |
}), | |
]); | |
var dup125 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create new connection"), | |
}); | |
var dup126 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501000000"), | |
}); | |
var dup127 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT configured"), | |
}); | |
var dup128 = match({ | |
id: "MESSAGE#712:602202:01/0", | |
dissect: { | |
tokenizer: "ISAKMP session connect%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup129 = linear_select([ | |
match({ | |
id: "MESSAGE#712:602202:01/2", | |
dissect: { | |
tokenizer: "ed%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup130 = match({ | |
id: "MESSAGE#712:602202:01/2", | |
dissect: { | |
tokenizer: "%{->}(local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup131 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ISAKMP session connected"), | |
}); | |
var dup132 = match({ | |
id: "MESSAGE#713:602202/2", | |
dissect: { | |
tokenizer: "%{->}(local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup133 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Message"), | |
}); | |
var dup134 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Receive"), | |
}); | |
var dup135 = linear_select([ | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "Console end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "console end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "%{hostip->} end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup136 = match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "%{disposition->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup137 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Stop"), | |
}); | |
var dup138 = match({ | |
id: "MESSAGE#960:713903/2", | |
dissect: { | |
tokenizer: "%{saddr->} , %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup139 = match({ | |
id: "MESSAGE#961:713903:01/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup140 = match({ | |
id: "MESSAGE#961:713903:01/2", | |
dissect: { | |
tokenizer: "Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup141 = match({ | |
id: "MESSAGE#963:713903:03/0", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup142 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1802000000"), | |
}); | |
var dup143 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logoff"), | |
}); | |
var dup144 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Succeeded"), | |
}); | |
var dup145 = constant("Failed"); | |
var dup146 = match({ | |
id: "MESSAGE#313:302016:05/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup147 = linear_select([ | |
match({ | |
id: "MESSAGE#313:302016:05/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld7->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#313:302016:05/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup148 = call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%N:%U:%O"), | |
field("duration"), | |
], | |
}); | |
var dup149 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown connection"), | |
}); | |
var dup150 = linear_select([ | |
match({ | |
id: "MESSAGE#314:302016:07/1", | |
dissect: { | |
tokenizer: "%{bytes->} (%{username->})", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#314:302016:07/1", | |
dissect: { | |
tokenizer: "%{bytes->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup151 = linear_select([ | |
match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup152 = match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup153 = match({ | |
id: "MESSAGE#316:302016:06/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup154 = match({ | |
id: "MESSAGE#317:302016/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup155 = match({ | |
id: "MESSAGE#318:302016:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup156 = match({ | |
id: "MESSAGE#318:302016:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup157 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701000000"), | |
}); | |
var dup158 = match({ | |
id: "MESSAGE#1165:722029/2", | |
dissect: { | |
tokenizer: "%{saddr->}> SVC Session Termination:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup159 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SVC Session Termination"), | |
}); | |
var dup160 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613030100"), | |
}); | |
var dup161 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1702030000"), | |
}); | |
var dup162 = match({ | |
id: "MESSAGE#550:401002/0", | |
dissect: { | |
tokenizer: "%{->}Shun%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup163 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701010000"), | |
}); | |
var dup164 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Create"), | |
}); | |
var dup165 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603020000"), | |
}); | |
var dup166 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701020000"), | |
}); | |
var dup167 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("Failed"), | |
}); | |
var dup168 = match({ | |
id: "MESSAGE#1184:724004/2", | |
dissect: { | |
tokenizer: "%{hostip->}> Secure Desktop Results: %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup169 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1704010000"), | |
}); | |
var dup170 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("UDP"), | |
}); | |
var dup171 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401030000"), | |
}); | |
var dup172 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("login session failure"), | |
}); | |
var dup173 = match({ | |
id: "MESSAGE#1024:715052/2", | |
dissect: { | |
tokenizer: "%{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup174 = match({ | |
id: "MESSAGE#971:713905/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup175 = linear_select([ | |
match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup176 = match({ | |
id: "MESSAGE#974:713905:03/0", | |
dissect: { | |
tokenizer: "Username = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup177 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embyonic connection limit exceeded"), | |
}); | |
var dup178 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Unknown"), | |
}); | |
var dup179 = match({ | |
id: "MESSAGE#150:109025/0", | |
dissect: { | |
tokenizer: "Authorization denied (acl=%{listnum->}) for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup180 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803000000"), | |
}); | |
var dup181 = match({ | |
id: "MESSAGE#1172:722037/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c %{group->} > User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup182 = linear_select([ | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "'%{username->}' IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "%{username->} IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup183 = match({ | |
id: "MESSAGE#475:338005/0", | |
dissect: { | |
tokenizer: "Dynamic %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup184 = linear_select([ | |
match({ | |
id: "MESSAGE#475:338005/2", | |
dissect: { | |
tokenizer: "F%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#475:338005/2", | |
dissect: { | |
tokenizer: "f%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup185 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("translation creation failed"), | |
}); | |
var dup186 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1608000000"), | |
}); | |
var dup187 = linear_select([ | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "\"%{username->}\" ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup188 = constant("Login denied"); | |
var dup189 = match({ | |
id: "MESSAGE#1151:721016/0", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->} user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup190 = linear_select([ | |
match({ | |
id: "MESSAGE#1151:721016/2", | |
dissect: { | |
tokenizer: "'%{username->}' , IP %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1151:721016/2", | |
dissect: { | |
tokenizer: "%{username->} , IP %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup191 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Authorization denied"), | |
}); | |
var dup192 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("inbound"), | |
}); | |
var dup193 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("build connection"), | |
}); | |
var dup194 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("outbound"), | |
}); | |
var dup195 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603050000"), | |
}); | |
var dup196 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection denied"), | |
}); | |
var dup197 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{protocol->} for user '%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{protocol->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup198 = match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{sinterface->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup199 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{saddr->}(%{sport->}) -> %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{saddr->} %{sport->} %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup200 = match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{dinterface->}/%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup201 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{daddr->}(%{dport->}) hit-cnt %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{daddr->} %{dport->} hit-cnt %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup202 = match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{dclass_counter1->} %{info->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup203 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("HitCount"), | |
}); | |
var dup204 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020000"), | |
}); | |
var dup205 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Freeing local pool address"), | |
}); | |
var dup206 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030305"), | |
}); | |
var dup207 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1606000000"), | |
}); | |
var dup208 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup209 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup210 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup211 = match({ | |
id: "MESSAGE#1216:734003:01/0", | |
dissect: { | |
tokenizer: "%{process->}: User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup212 = linear_select([ | |
match({ | |
id: "MESSAGE#1216:734003:01/2", | |
dissect: { | |
tokenizer: "'%{username->}' , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1216:734003:01/2", | |
dissect: { | |
tokenizer: "%{username->} , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup213 = match({ | |
id: "MESSAGE#474:338004/2", | |
dissect: { | |
tokenizer: "ilter %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup214 = linear_select([ | |
match({ | |
id: "MESSAGE#474:338004/4", | |
dissect: { | |
tokenizer: "permitt%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#474:338004/4", | |
dissect: { | |
tokenizer: "monitor%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup215 = linear_select([ | |
match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "'%{username->}' Priv: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "%{username->} Priv: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup216 = match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "%{fld1->} Encpass: %{fld2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup217 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("UserGroup"), | |
}); | |
var dup218 = match({ | |
id: "MESSAGE#706:602101/2", | |
dissect: { | |
tokenizer: "s%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup219 = match({ | |
id: "MESSAGE#293:302013/0", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup220 = linear_select([ | |
match({ | |
id: "MESSAGE#293:302013/2", | |
dissect: { | |
tokenizer: "%{stransport->})(%{domain->}\\%{fld3->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#293:302013/2", | |
dissect: { | |
tokenizer: "%{stransport->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup221 = match({ | |
id: "MESSAGE#294:302013:01/0", | |
dissect: { | |
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup222 = linear_select([ | |
match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "'%{username->}'%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "(%{username->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup223 = match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "%{->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup224 = match({ | |
id: "MESSAGE#295:302013:02/2", | |
dissect: { | |
tokenizer: "%{stransport->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup225 = match({ | |
id: "MESSAGE#299:302013:06/2", | |
dissect: { | |
tokenizer: "%{dtransaddr->}/%{dtransport->})(%{domain->}\\%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup226 = match({ | |
id: "MESSAGE#299:302013:06/2", | |
dissect: { | |
tokenizer: "%{dtransaddr->}/%{dtransport->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup227 = linear_select([ | |
match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{fld2->}:%{saddr->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{saddr->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup228 = match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sport->} (%{stransaddr->}/%{stransport->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup229 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805010000"), | |
}); | |
var dup230 = match({ | |
id: "MESSAGE#484:338202/2", | |
dissect: { | |
tokenizer: "ilter %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup231 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE lost contact with remote peer deleting connection"), | |
}); | |
var dup232 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator New/Rekeying Phase"), | |
}); | |
var dup233 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Local pool request succeeded "), | |
}); | |
var dup234 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built translation"), | |
}); | |
var dup235 = linear_select([ | |
match({ | |
id: "MESSAGE#726:603107/2", | |
dissect: { | |
tokenizer: ",%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup236 = match({ | |
id: "MESSAGE#152:109027/2", | |
dissect: { | |
tokenizer: "i%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup237 = linear_select([ | |
match({ | |
id: "MESSAGE#152:109027/3", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#152:109027/3", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup238 = linear_select([ | |
match({ | |
id: "MESSAGE#189:113012/1", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#189:113012/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup239 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030200"), | |
}); | |
var dup240 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("FTP connection terminated"), | |
}); | |
var dup241 = match({ | |
id: "MESSAGE#1031:715059/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup242 = linear_select([ | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup243 = match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{action->}:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup244 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613040200"), | |
}); | |
var dup245 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rekeying duration changed"), | |
}); | |
var dup246 = match({ | |
id: "MESSAGE#810:702204:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 retransmi%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup247 = linear_select([ | |
match({ | |
id: "MESSAGE#810:702204:01/2", | |
dissect: { | |
tokenizer: "ssion%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#810:702204:01/2", | |
dissect: { | |
tokenizer: "t%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup248 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 retransmission"), | |
}); | |
var dup249 = match({ | |
id: "MESSAGE#1187:725002/2", | |
dissect: { | |
tokenizer: "%{->} %{interface->}:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup250 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613050100"), | |
}); | |
var dup251 = linear_select([ | |
match({ | |
id: "MESSAGE#219:201004:01/2", | |
dissect: { | |
tokenizer: "static%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#219:201004:01/2", | |
dissect: { | |
tokenizer: "xlate%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup252 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Login session failed"), | |
}); | |
var dup253 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User Authentication failed"), | |
}); | |
var dup254 = linear_select([ | |
]); | |
var dup255 = match({ | |
id: "MESSAGE#1198:725010/2", | |
dissect: { | |
tokenizer: ".%{->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup256 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1207010200"), | |
}); | |
var dup257 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("icmp packet denied"), | |
}); | |
var dup258 = set_field({ | |
dest: "nwparser.result", | |
value: constant("to/from mangement-only network"), | |
}); | |
var dup259 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("ICMP"), | |
}); | |
var dup260 = match({ | |
id: "MESSAGE#651:418001:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup261 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("packet denied"), | |
}); | |
var dup262 = match({ | |
id: "MESSAGE#174:111010/0", | |
dissect: { | |
tokenizer: "User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup263 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401040000"), | |
}); | |
var dup264 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605010000"), | |
}); | |
var dup265 = linear_select([ | |
match({ | |
id: "MESSAGE#1243:737017/2", | |
dissect: { | |
tokenizer: "Session=%{sessionid->},%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup266 = linear_select([ | |
match({ | |
id: "MESSAGE#625:411005/2", | |
dissect: { | |
tokenizer: "I%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#625:411005/2", | |
dissect: { | |
tokenizer: "i%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup267 = linear_select([ | |
match({ | |
id: "MESSAGE#1163:722027/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1163:722027/3", | |
dissect: { | |
tokenizer: "%{saddr->} > %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup268 = linear_select([ | |
match({ | |
id: "MESSAGE#1163:722027/4", | |
dissect: { | |
tokenizer: "TCP %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1163:722027/4", | |
dissect: { | |
tokenizer: "UDP %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup269 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Policy installed"), | |
}); | |
var dup270 = linear_select([ | |
match({ | |
id: "MESSAGE#1161:722023/6", | |
dissect: { | |
tokenizer: "out%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup271 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("request discarded"), | |
}); | |
var dup272 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1610000000"), | |
}); | |
var dup273 = linear_select([ | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup274 = linear_select([ | |
match({ | |
id: "MESSAGE#96:106027/1", | |
dissect: { | |
tokenizer: "\"%{rule_group->}\" ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#96:106027/1", | |
dissect: { | |
tokenizer: "%{rule_group->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup275 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-group"), | |
}); | |
var dup276 = match({ | |
id: "MESSAGE#385:305013/2", | |
dissect: { | |
tokenizer: "%{sport->}(%{domain->}\\%{username->}) dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup277 = match({ | |
id: "MESSAGE#385:305013/2", | |
dissect: { | |
tokenizer: "%{sport->} dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup278 = set_field({ | |
dest: "nwparser.result", | |
value: constant("due to NAT reverse path failure"), | |
}); | |
var dup279 = linear_select([ | |
match({ | |
id: "MESSAGE#552:401004/2", | |
dissect: { | |
tokenizer: "ned%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup280 = linear_select([ | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup281 = match({ | |
id: "MESSAGE#302:302014:03/3", | |
dissect: { | |
tokenizer: "%{->} %{result->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup282 = match({ | |
id: "MESSAGE#303:302014:02/1", | |
dissect: { | |
tokenizer: "(%{result->}) ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup283 = match({ | |
id: "MESSAGE#304:302014:04/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{domain->}\\%{fld3->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup284 = linear_select([ | |
match({ | |
id: "MESSAGE#304:302014:04/3", | |
dissect: { | |
tokenizer: "%{info->} (%{username->})", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#304:302014:04/3", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup285 = match({ | |
id: "MESSAGE#307:302014:01/1", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup286 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT exemption configured"), | |
}); | |
var dup287 = match({ | |
id: "MESSAGE#824:702211:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 exchange complete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup288 = match({ | |
id: "MESSAGE#824:702211:01/2", | |
dissect: { | |
tokenizer: "%{->} %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup289 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange completed"), | |
}); | |
var dup290 = match({ | |
id: "MESSAGE#825:702211/2", | |
dissect: { | |
tokenizer: "%{->} %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup291 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("authentication failed"), | |
}); | |
var dup292 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1302000000"), | |
}); | |
var dup293 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Certificate"), | |
}); | |
var dup294 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection dropped"), | |
}); | |
var dup295 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown translation"), | |
}); | |
var dup296 = linear_select([ | |
match({ | |
id: "MESSAGE#383:305012/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{fld51->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#383:305012/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup297 = linear_select([ | |
match({ | |
id: "MESSAGE#384:305012:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}(%{fld52->}):%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#384:305012:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup298 = match({ | |
id: "MESSAGE#629:413003/2", | |
dissect: { | |
tokenizer: ".%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup299 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IPS request to drop packet"), | |
}); | |
var dup300 = match({ | |
id: "MESSAGE#860:713035/2", | |
dissect: { | |
tokenizer: "%{saddr->} , %{action->}:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup301 = constant("Routing failed to locate next-hop"); | |
var dup302 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("failed"), | |
}); | |
var dup303 = match({ | |
id: "MESSAGE#1016:715046:01/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup304 = match({ | |
id: "MESSAGE#1016:715046:01/1", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup305 = linear_select([ | |
match({ | |
id: "MESSAGE#1021:715049:01/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1021:715049:01/1", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup306 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown connection"), | |
}); | |
var dup307 = match({ | |
id: "MESSAGE#340:302026/0", | |
dissect: { | |
tokenizer: "Built %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup308 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "backup%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup309 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "director%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup310 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "%{->}stub %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{fld1->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld2->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup311 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built connection"), | |
}); | |
var dup312 = match({ | |
id: "MESSAGE#559:402116/0", | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{dst_spi->}, sequence number= %{fld2->}) from %{saddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup313 = linear_select([ | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "(user=%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "(%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "'%{username->}' to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "%{username->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup314 = match({ | |
id: "MESSAGE#381:305011:01/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup315 = linear_select([ | |
match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "'%{username->}' Type:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "%{username->} Type:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup316 = match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "%{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup317 = set_field({ | |
dest: "nwparser.result", | |
value: constant("User authentication succeeded"), | |
}); | |
var dup318 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SSL server requesting certificate for authentication"), | |
}); | |
var dup319 = call({ | |
dest: "nwparser.bytes", | |
fn: CALC, | |
args: [ | |
field("sbytes"), | |
constant("+"), | |
field("rbytes"), | |
], | |
}); | |
var dup320 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("TEV"), | |
}); | |
var dup321 = match({ | |
id: "MESSAGE#419:315011/0", | |
dissect: { | |
tokenizer: "SSH session from %{saddr->} on interface %{interface->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup322 = match({ | |
id: "MESSAGE#622:411002/2", | |
dissect: { | |
tokenizer: "nterface %{interface->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup323 = linear_select([ | |
match({ | |
id: "MESSAGE#622:411002/3", | |
dissect: { | |
tokenizer: ", %{result->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#622:411002/3", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup324 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603030000"), | |
}); | |
var dup325 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied IPv6-ICMP"), | |
}); | |
var dup326 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1604010000"), | |
}); | |
var dup327 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Read"), | |
}); | |
var dup328 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device chooses cipher for the SSL session"), | |
}); | |
var dup329 = match({ | |
id: "MESSAGE#870:713218/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Tunnel Rejected: %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup330 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Tunnel Rejected"), | |
}); | |
var dup331 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1901000000"), | |
}); | |
var dup332 = set_field({ | |
dest: "nwparser.id", | |
value: field("p_msgid"), | |
}); | |
var dup333 = set_field({ | |
dest: "nwparser.msg_id", | |
value: field("p_msgid"), | |
}); | |
var dup334 = set_field({ | |
dest: "nwparser.vid", | |
value: field("p_msgid"), | |
}); | |
var dup335 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKEGetUserAttributes"), | |
}); | |
var dup336 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid destination"), | |
}); | |
var dup337 = set_field({ | |
dest: "nwparser.result", | |
value: constant("all servers failed"), | |
}); | |
var dup338 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1607000000"), | |
}); | |
var dup339 = match({ | |
id: "MESSAGE#975:713906:01/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup340 = match({ | |
id: "MESSAGE#975:713906:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} Proxy Id:%{fld1->} Remote host: %{hostname->} Protocol %{protocol->} Port %{port->} Local subnet: %{fld2->} mask %{mask->} Protocol %{fld3->} Port %{fld4->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup341 = match({ | |
id: "MESSAGE#976:713906:03/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup342 = match({ | |
id: "MESSAGE#977:713906/0", | |
dissect: { | |
tokenizer: "IP = %{saddr->},%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup343 = linear_select([ | |
match({ | |
id: "MESSAGE#191:113014/2", | |
dissect: { | |
tokenizer: "entic%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#191:113014/2", | |
dissect: { | |
tokenizer: "oriz%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup344 = match({ | |
id: "MESSAGE#797:620001:01/2", | |
dissect: { | |
tokenizer: "C%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup345 = linear_select([ | |
match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{saddr->} to %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup346 = match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{dinterface->}: %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup347 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Pre-allocate connection"), | |
}); | |
var dup348 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{hostip->} laddr %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup349 = match({ | |
id: "MESSAGE#326:302020:04/1", | |
dissect: { | |
tokenizer: "%{sport->} type %{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup350 = match({ | |
id: "MESSAGE#326:302020:04/1", | |
dissect: { | |
tokenizer: "%{sport->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup351 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1611000000"), | |
}); | |
var dup352 = match({ | |
id: "MESSAGE#1153:722001/0", | |
dissect: { | |
tokenizer: "IP %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup353 = linear_select([ | |
match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{saddr->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup354 = match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{event_description->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup355 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601010000"), | |
}); | |
var dup356 = set_field({ | |
dest: "nwparser.result", | |
value: constant("hardware accelerator error"), | |
}); | |
var dup357 = match({ | |
id: "MESSAGE#59:106002/0", | |
dissect: { | |
tokenizer: "%{protocol->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup358 = linear_select([ | |
match({ | |
id: "MESSAGE#59:106002/2", | |
dissect: { | |
tokenizer: "C%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#59:106002/2", | |
dissect: { | |
tokenizer: "c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup359 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803020000"), | |
}); | |
var dup360 = match({ | |
id: "MESSAGE#814:702206:01/0", | |
dissect: { | |
tokenizer: "ISAKMP malform%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup361 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("malformed payload received"), | |
}); | |
var dup362 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User executed command"), | |
}); | |
var dup363 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Testing Interface"), | |
}); | |
var dup364 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("TCP"), | |
}); | |
var dup365 = linear_select([ | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup366 = match({ | |
id: "MESSAGE#346:303002:02/2", | |
dissect: { | |
tokenizer: "'%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup367 = match({ | |
id: "MESSAGE#346:303002:02/2", | |
dissect: { | |
tokenizer: "%{username->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup368 = match({ | |
id: "MESSAGE#489:338303/2", | |
dissect: { | |
tokenizer: ",%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup369 = linear_select([ | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{hostip->}/%{fld4->} laddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{hostip->} laddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup370 = linear_select([ | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{username->})", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} %{username->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup371 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-list"), | |
}); | |
var dup372 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session terminated"), | |
}); | |
var dup373 = linear_select([ | |
match({ | |
id: "MESSAGE#133:109012/2", | |
dissect: { | |
tokenizer: "'%{username->}' , sid %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#133:109012/2", | |
dissect: { | |
tokenizer: "%{username->} , sid %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup374 = match({ | |
id: "MESSAGE#822:702210:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 exchange complete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup375 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701070000"), | |
}); | |
var dup376 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Disable"), | |
}); | |
var dup377 = match({ | |
id: "MESSAGE#617:410001/0", | |
dissect: { | |
tokenizer: "Dropped UDP DNS re%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup378 = linear_select([ | |
match({ | |
id: "MESSAGE#617:410001/2", | |
dissect: { | |
tokenizer: "ply%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#617:410001/2", | |
dissect: { | |
tokenizer: "quest%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup379 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "packet%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup380 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "label%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup381 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "%{->}limit of %{fld2->} bytes", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup382 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropped DNS UDP packet - length exceeded"), | |
}); | |
var dup383 = match({ | |
id: "MESSAGE#185:113009/0", | |
dissect: { | |
tokenizer: "AAA retrieved default group policy %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup384 = linear_select([ | |
match({ | |
id: "MESSAGE#185:113009/4", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#185:113009/4", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup385 = set_field({ | |
dest: "nwparser.result", | |
value: constant("retrieved default group policy"), | |
}); | |
var dup386 = match({ | |
id: "MESSAGE#878:713075/3", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup387 = linear_select([ | |
match({ | |
id: "MESSAGE#1008:715036:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} (seq number %{fld1->}) ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1008:715036:01/1", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup388 = match({ | |
id: "MESSAGE#957:713902/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup389 = match({ | |
id: "MESSAGE#957:713902/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup390 = linear_select([ | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup391 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embryonic limit exceeded"), | |
}); | |
var dup392 = set_field({ | |
dest: "nwparser.result", | |
value: constant("for through connections"), | |
}); | |
var dup393 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("duplicate packet detected"), | |
}); | |
var dup394 = set_field({ | |
dest: "nwparser.result", | |
value: constant("DHCP configured"), | |
}); | |
var dup395 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an ICMP Destination Unreachable"), | |
}); | |
var dup396 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("Hitcount"), | |
}); | |
var dup397 = match({ | |
id: "MESSAGE#100:106100:01/0", | |
dissect: { | |
tokenizer: "access-list %{listnum->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup398 = linear_select([ | |
match({ | |
id: "MESSAGE#100:106100:01/2", | |
dissect: { | |
tokenizer: "est-allow%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#100:106100:01/2", | |
dissect: { | |
tokenizer: "permitt%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup399 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{fld7->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup400 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dport->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup401 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dclass_counter1->} %{fld6->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup402 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permitted"), | |
}); | |
var dup403 = linear_select([ | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{domain->}\\%{username->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{fld7->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup404 = match({ | |
id: "MESSAGE#818:702208:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 exchange start%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup405 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange started"), | |
}); | |
var dup406 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204000000"), | |
}); | |
var dup407 = match({ | |
id: "MESSAGE#735:605003/3", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup408 = match({ | |
id: "MESSAGE#735:605003/3", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup409 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid IPSEC packet"), | |
}); | |
var dup410 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601020000"), | |
}); | |
var dup411 = match({ | |
id: "MESSAGE#156:109033:01/0", | |
dissect: { | |
tokenizer: "Authentication failed for admin user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup412 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authentication Failed"), | |
}); | |
var dup413 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Interactive challenge processing not supported"), | |
}); | |
var dup414 = match({ | |
id: "MESSAGE#181:113005:01/0", | |
dissect: { | |
tokenizer: "AAA user auth%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup415 = match({ | |
id: "MESSAGE#181:113005:01/2", | |
dissect: { | |
tokenizer: "ation Rejected : reason = %{result->} : server = %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup416 = linear_select([ | |
match({ | |
id: "MESSAGE#181:113005:01/4", | |
dissect: { | |
tokenizer: "%{hostip->} :%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#181:113005:01/4", | |
dissect: { | |
tokenizer: "%{hostip->},%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup417 = linear_select([ | |
match({ | |
id: "MESSAGE#181:113005:01/6", | |
dissect: { | |
tokenizer: "U%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#181:113005:01/6", | |
dissect: { | |
tokenizer: "u%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup418 = match({ | |
id: "MESSAGE#181:113005:01/6", | |
dissect: { | |
tokenizer: "ser = %{p6->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup419 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("user authentication rejected"), | |
}); | |
var dup420 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1602000000"), | |
}); | |
var dup421 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Client allowed"), | |
}); | |
var dup422 = match({ | |
id: "MESSAGE#211:199009/3", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup423 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Translation denied"), | |
}); | |
var dup424 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to get address from group-policy or tunnel-group"), | |
}); | |
var dup425 = linear_select([ | |
match({ | |
id: "MESSAGE#727:603108/2", | |
dissect: { | |
tokenizer: "T%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#727:603108/2", | |
dissect: { | |
tokenizer: "t%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup426 = linear_select([ | |
match({ | |
id: "MESSAGE#740:606001/2", | |
dissect: { | |
tokenizer: "P%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#740:606001/2", | |
dissect: { | |
tokenizer: "AS%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup427 = match({ | |
id: "MESSAGE#812:702205:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 retransmi%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup428 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("deleting static route for address"), | |
}); | |
var dup429 = linear_select([ | |
match({ | |
id: "MESSAGE#738:605005/1", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#738:605005/1", | |
dissect: { | |
tokenizer: "\"%{username->}\" ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#738:605005/1", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#738:605005/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup430 = set_field({ | |
dest: "nwparser.dport", | |
value: constant("23"), | |
}); | |
var dup431 = set_field({ | |
dest: "nwparser.sport", | |
value: constant("0"), | |
}); | |
var dup432 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied login session"), | |
}); | |
var dup433 = constant("Tunnel Rejected"); | |
var dup434 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("assigned to session"), | |
}); | |
var dup435 = match({ | |
id: "MESSAGE#820:702209:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 exchange start%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup436 = match({ | |
id: "MESSAGE#714:602203:01/0", | |
dissect: { | |
tokenizer: "ISAKMP session disconnect%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup437 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ISAKMP session disconnected"), | |
}); | |
var dup438 = match({ | |
id: "MESSAGE#1176:722049/3", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup439 = linear_select([ | |
match({ | |
id: "MESSAGE#116:108004:01/2", | |
dissect: { | |
tokenizer: "quest%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#116:108004:01/2", | |
dissect: { | |
tokenizer: "sponse%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup440 = match({ | |
id: "MESSAGE#116:108004:01/2", | |
dissect: { | |
tokenizer: "%{->}from %{sinterface->}: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup441 = linear_select([ | |
match({ | |
id: "MESSAGE#116:108004:01/6", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} ;%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#116:108004:01/6", | |
dissect: { | |
tokenizer: "%{daddr->} ;%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup442 = match({ | |
id: "MESSAGE#116:108004:01/6", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup443 = linear_select([ | |
match({ | |
id: "MESSAGE#338:302024/2", | |
dissect: { | |
tokenizer: "backup%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#338:302024/2", | |
dissect: { | |
tokenizer: "director%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#338:302024/2", | |
dissect: { | |
tokenizer: "forwarder%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup444 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SVC connection established"), | |
}); | |
var dup445 = match({ | |
id: "MESSAGE#826:702212:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 initiat%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup446 = linear_select([ | |
match({ | |
id: "MESSAGE#826:702212:01/2", | |
dissect: { | |
tokenizer: "ing%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#826:702212:01/2", | |
dissect: { | |
tokenizer: "e%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup447 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 initiating rekey"), | |
}); | |
var dup448 = match({ | |
id: "MESSAGE#866:713049/4", | |
dissect: { | |
tokenizer: "User%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup449 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 delete sent"), | |
}); | |
var dup450 = linear_select([ | |
match({ | |
id: "MESSAGE#288:302009:01/2", | |
dissect: { | |
tokenizer: "addr%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#288:302009:01/2", | |
dissect: { | |
tokenizer: "oreign_address%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup451 = match({ | |
id: "MESSAGE#288:302009:01/2", | |
dissect: { | |
tokenizer: "%{->} %{saddr->}/%{sport->} g%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup452 = linear_select([ | |
match({ | |
id: "MESSAGE#288:302009:01/4", | |
dissect: { | |
tokenizer: "addr%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#288:302009:01/4", | |
dissect: { | |
tokenizer: "lobal_address%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup453 = match({ | |
id: "MESSAGE#288:302009:01/4", | |
dissect: { | |
tokenizer: "%{->} %{hostip->}/%{network_port->} l%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup454 = linear_select([ | |
match({ | |
id: "MESSAGE#288:302009:01/6", | |
dissect: { | |
tokenizer: "addr%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#288:302009:01/6", | |
dissect: { | |
tokenizer: "ocal_address%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup455 = match({ | |
id: "MESSAGE#288:302009:01/6", | |
dissect: { | |
tokenizer: "%{->} %{daddr->}/%{dport->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup456 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rebuilt connection"), | |
}); | |
var dup457 = match({ | |
id: "MESSAGE#278:302004/2", | |
dissect: { | |
tokenizer: "allocate %{network_service->} %{protocol->} backconnection for f%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup458 = linear_select([ | |
match({ | |
id: "MESSAGE#278:302004/4", | |
dissect: { | |
tokenizer: "addr%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#278:302004/4", | |
dissect: { | |
tokenizer: "oreign_address%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup459 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613050200"), | |
}); | |
var dup460 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device failed SSL handshake"), | |
}); | |
var dup461 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection Redirected via Load Balancing"), | |
}); | |
var dup462 = match({ | |
id: "MESSAGE#808:702203:01/0", | |
dissect: { | |
tokenizer: "ISAKMP DPD time%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup463 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DPD timed out"), | |
}); | |
var dup464 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Monitoring on interface"), | |
}); | |
var dup465 = match({ | |
id: "MESSAGE#1284:713171/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup466 = match({ | |
id: "MESSAGE#1284:713171/2", | |
dissect: { | |
tokenizer: "%{group->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup467 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Address assignment failed"), | |
}); | |
var dup468 = match({ | |
id: "MESSAGE#991:715001/1", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup469 = match({ | |
id: "MESSAGE#1185:725001:01/0", | |
dissect: { | |
tokenizer: "Starting SSL handshake with %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup470 = linear_select([ | |
match({ | |
id: "MESSAGE#1185:725001:01/2", | |
dissect: { | |
tokenizer: "client%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1185:725001:01/2", | |
dissect: { | |
tokenizer: "server%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup471 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Starting SSL handshake"), | |
}); | |
var dup472 = match({ | |
id: "MESSAGE#951:713259/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Session is being torn down. Reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup473 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session is being torn down"), | |
}); | |
var dup474 = set_field({ | |
dest: "nwparser.context", | |
value: constant("Content type not found"), | |
}); | |
var dup475 = match({ | |
id: "MESSAGE#886:713120/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup476 = constant("INSIDE"); | |
var dup477 = constant("OUTSIDE"); | |
var hdr1 = match({ | |
id: "HEADER#0:0001", | |
dissect: { | |
tokenizer: "%ASA-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr2 = match({ | |
id: "HEADER#1:0033", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{year->} %{hhour->}:%{hmin->}:%{hsec->} %{hostip->} : %ASA-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr3 = match({ | |
id: "HEADER#2:0002", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{year->} %{hhour->}:%{hmin->}:%{hsec->} %{hhost->}: %ASA-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr4 = match({ | |
id: "HEADER#3:0003/0", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{year->} %{p0->}", | |
field: "message", | |
}, | |
}); | |
var msg1 = match({ | |
id: "HEADER#3:0003/2", | |
dissect: { | |
tokenizer: "%{hhour->}:%{hmin->}:%{hsec->}: %ASA-%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg2 = match({ | |
id: "HEADER#3:0003/2", | |
dissect: { | |
tokenizer: "%{hhour->}:%{hmin->}:%{hsec->} %ASA-%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select1 = linear_select([ | |
msg1, | |
msg2, | |
]); | |
var msg3 = match({ | |
id: "HEADER#3:0003/2", | |
dissect: { | |
tokenizer: "%{level->}-%{messageid->}: %{payload->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all1 = all_match({ | |
processors: [ | |
hdr4, | |
select1, | |
msg3, | |
], | |
}); | |
var hdr5 = match({ | |
id: "HEADER#4:0012", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{hhour->}:%{hmin->}:%{hsec->} %{hostip->} %ASA-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr6 = match({ | |
id: "HEADER#5:0004", | |
dissect: { | |
tokenizer: "%{paddr->} %ASA-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr7 = match({ | |
id: "HEADER#6:0010", | |
dissect: { | |
tokenizer: ":%{month->} %{day->} %{hhour->}:%{hmin->}:%{hsec->} %{timezone->}: %ASA-%{hfld1->}-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr8 = match({ | |
id: "HEADER#7:0014", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{hhour->}:%{hmin->}:%{hsec->} %{timezone->}: %ASA-%{hfld1->}-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr9 = match({ | |
id: "HEADER#8:0011", | |
dissect: { | |
tokenizer: "%ASA-%{hfld1->}-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr10 = match({ | |
id: "HEADER#9:0005", | |
dissect: { | |
tokenizer: "%ASA-%{level->}-%{messageid->} %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr11 = match({ | |
id: "HEADER#10:0006", | |
dissect: { | |
tokenizer: "%FWSM-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr12 = match({ | |
id: "HEADER#11:0007", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{year->} %{hhour->}:%{hmin->}:%{hsec->} %{paddr->} : %FWSM-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr13 = match({ | |
id: "HEADER#12:0008", | |
dissect: { | |
tokenizer: "%{month->} %{day->} %{year->} %{hhour->}:%{hmin->}:%{hsec->} %FWSM-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr14 = match({ | |
id: "HEADER#13:0009", | |
dissect: { | |
tokenizer: "%{paddr->} %FWSM-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr15 = match({ | |
id: "HEADER#14:0013", | |
dissect: { | |
tokenizer: ":%ASA-%{group->}-%{level->}-%{messageid->}: %{payload->}", | |
field: "message", | |
}, | |
}); | |
var hdr16 = match({ | |
id: "HEADER#15:9999", | |
dissect: { | |
tokenizer: "%ASA-%{payload->}", | |
field: "message", | |
}, | |
on_success: processor_chain([ | |
dup0, | |
]), | |
}); | |
var hdr17 = match({ | |
id: "HEADER#16:9998", | |
dissect: { | |
tokenizer: "%{fld->}%ASA-%{payload->}", | |
field: "message", | |
}, | |
on_success: processor_chain([ | |
dup0, | |
]), | |
}); | |
var select2 = linear_select([ | |
hdr1, | |
hdr2, | |
hdr3, | |
all1, | |
hdr5, | |
hdr6, | |
hdr7, | |
hdr8, | |
hdr9, | |
hdr10, | |
hdr11, | |
hdr12, | |
hdr13, | |
hdr14, | |
hdr15, | |
hdr16, | |
hdr17, | |
]); | |
var msg4 = match({ | |
id: "MESSAGE#17:103005", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg5 = match({ | |
id: "MESSAGE#936:713222", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Static Crypto Map check, map = %{fld1->}, seq = %{fld2->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713222"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup8, | |
]), | |
}); | |
var msg6 = match({ | |
id: "MESSAGE#1042:715077/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}', IP = %{saddr->}, Pitcher: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg7 = match({ | |
id: "MESSAGE#1042:715077/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->}, Pitcher: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg8 = match({ | |
id: "MESSAGE#1042:715077/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{saddr->}, Pitcher: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select3 = linear_select([ | |
msg6, | |
msg7, | |
msg8, | |
]); | |
var msg9 = match({ | |
id: "MESSAGE#1042:715077/2", | |
dissect: { | |
tokenizer: "%{action->}, spi %{dst_spi->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all2 = all_match({ | |
processors: [ | |
dup9, | |
select3, | |
msg9, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715077"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg10 = match({ | |
id: "MESSAGE#1043:715077:01/0", | |
dissect: { | |
tokenizer: "Pitcher: %{result->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg11 = match({ | |
id: "MESSAGE#1043:715077:01/2", | |
dissect: { | |
tokenizer: ", %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select4 = linear_select([ | |
msg11, | |
]); | |
var msg12 = match({ | |
id: "MESSAGE#1043:715077:01/2", | |
dissect: { | |
tokenizer: "spi %{dst_spi->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all3 = all_match({ | |
processors: [ | |
msg10, | |
select4, | |
msg12, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715077:01"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var select5 = linear_select([ | |
all2, | |
all3, | |
]); | |
var msg13 = match({ | |
id: "MESSAGE#192:113015/0", | |
dissect: { | |
tokenizer: "%{action->} : reason = %{result->} : local database : user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg14 = match({ | |
id: "MESSAGE#192:113015/1", | |
dissect: { | |
tokenizer: "%{username->} : user IP = %{saddr->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select6 = linear_select([ | |
msg14, | |
dup15, | |
]); | |
var all4 = all_match({ | |
processors: [ | |
msg13, | |
select6, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113015"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg15 = match({ | |
id: "MESSAGE#241:210001", | |
dissect: { | |
tokenizer: "LU SMNAME error = %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg16 = match({ | |
id: "MESSAGE#360:304008/0", | |
dissect: { | |
tokenizer: "%{->}L%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg17 = match({ | |
id: "MESSAGE#360:304008/2", | |
dissect: { | |
tokenizer: "EAVING%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg18 = match({ | |
id: "MESSAGE#360:304008/2", | |
dissect: { | |
tokenizer: "eaving%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select7 = linear_select([ | |
msg17, | |
msg18, | |
]); | |
var msg19 = match({ | |
id: "MESSAGE#360:304008/2", | |
dissect: { | |
tokenizer: "%{->}ALLOW mode, URL Server", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all5 = all_match({ | |
processors: [ | |
msg16, | |
select7, | |
msg19, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg20 = match({ | |
id: "MESSAGE#362:305001", | |
dissect: { | |
tokenizer: "Portmapped translation built for gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Portmapped translation built"), | |
}), | |
]), | |
}); | |
var msg21 = match({ | |
id: "MESSAGE#1278:752004", | |
dissect: { | |
tokenizer: "Tunnel Manager dispatching a %{fld3->} message to IKEv1. Map Tag = %{fld1->}. Map Sequence Number = %{fld2->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg22 = match({ | |
id: "MESSAGE#872:713066/2", | |
dissect: { | |
tokenizer: "%{saddr->}, IKE Remote Peer configured for crypto map: %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all6 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg22, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713066"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg23 = match({ | |
id: "MESSAGE#873:713066:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKE Remote Peer configured for crypto map: %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713066:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select8 = linear_select([ | |
all6, | |
msg23, | |
]); | |
var msg24 = match({ | |
id: "MESSAGE#1294:769004", | |
dissect: { | |
tokenizer: "UPDATE: ASA image checksum error copying '%{filename->}' to '%{fld22->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("769004"), | |
}), | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("image checksum error"), | |
}), | |
]), | |
}); | |
var msg25 = match({ | |
id: "MESSAGE#498:400001", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all7 = all_match({ | |
processors: [ | |
dup31, | |
dup32, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602304"), | |
}), | |
dup7, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg26 = match({ | |
id: "MESSAGE#743:606004", | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid->} from %{hostip->} ended", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg27 = match({ | |
id: "MESSAGE#839:709006", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709006"), | |
}), | |
dup38, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg28 = match({ | |
id: "MESSAGE#792:617001", | |
dissect: { | |
tokenizer: "GTPv version %{fld1->} from %{sinterface->}:%{saddr->}/%{sport->} not accepted by %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("GTP version not accepted"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg29 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg30 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select9 = linear_select([ | |
msg29, | |
msg30, | |
dup45, | |
dup46, | |
]); | |
var all8 = all_match({ | |
processors: [ | |
dup44, | |
select9, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713194"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all9 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715048"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg31 = match({ | |
id: "MESSAGE#3:101004", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("101004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg32 = match({ | |
id: "MESSAGE#225:201009", | |
dissect: { | |
tokenizer: "TCP connection limit of %{dclass_counter1->} for host %{hostip->} on %{interface->} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201009"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("Number of connections"), | |
}), | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg33 = match({ | |
id: "MESSAGE#610:409008", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg34 = match({ | |
id: "MESSAGE#779:611323", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611323"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg35 = match({ | |
id: "MESSAGE#542:400045", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400045"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg36 = match({ | |
id: "MESSAGE#1250:737031/2", | |
dissect: { | |
tokenizer: "Removed%{hostip->} from standby", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all10 = all_match({ | |
processors: [ | |
dup53, | |
dup54, | |
msg36, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737031"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Removed host from standby"), | |
}), | |
]), | |
}); | |
var msg37 = match({ | |
id: "MESSAGE#561:402118", | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{protocol->}, sequence number=%{fld1->}) from %{saddr->} (user=%{username->}) to %{daddr->} containing an illegal IP fragment of length %{dclass_counter1->} with offset %{dclass_counter2->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402118"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("illegal IP fragment on IPSEC packet"), | |
}), | |
dup56, | |
]), | |
}); | |
var msg38 = match({ | |
id: "MESSAGE#700:505015/1", | |
dissect: { | |
tokenizer: "%{product->} Module in slot %{fld1->}, application up \"%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg39 = match({ | |
id: "MESSAGE#700:505015/1", | |
dissect: { | |
tokenizer: "Module ips, application up \"%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select10 = linear_select([ | |
msg38, | |
msg39, | |
]); | |
var all11 = all_match({ | |
processors: [ | |
select10, | |
dup57, | |
], | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505015"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg40 = match({ | |
id: "MESSAGE#774:611318", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup59, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611318"), | |
}), | |
dup7, | |
dup60, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg41 = match({ | |
id: "MESSAGE#1227:737001/2", | |
dissect: { | |
tokenizer: "Received message '%{info->}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all12 = all_match({ | |
processors: [ | |
dup53, | |
dup54, | |
msg41, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737001"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Received message"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg42 = match({ | |
id: "MESSAGE#729:604101", | |
dissect: { | |
tokenizer: "DHCP client interface %{interface->}:%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("604101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg43 = match({ | |
id: "MESSAGE#128:109007/0", | |
dissect: { | |
tokenizer: "Authorization permitted for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all13 = all_match({ | |
processors: [ | |
msg43, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109007"), | |
}), | |
dup17, | |
dup64, | |
dup65, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Successful Authorization"), | |
}), | |
]), | |
}); | |
var msg44 = match({ | |
id: "MESSAGE#160:110002", | |
dissect: { | |
tokenizer: "No ARP for host %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No ARP for host"), | |
}), | |
]), | |
}); | |
var msg45 = match({ | |
id: "MESSAGE#161:110002:01", | |
dissect: { | |
tokenizer: "Failed to locate egress interface for %{protocol->} from %{sinterface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Failed to locate egress interface"), | |
}), | |
]), | |
}); | |
var select11 = linear_select([ | |
msg44, | |
msg45, | |
]); | |
var msg46 = match({ | |
id: "MESSAGE#351:304001/2", | |
dissect: { | |
tokenizer: "%{saddr->} Accessed %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg47 = match({ | |
id: "MESSAGE#351:304001/4", | |
dissect: { | |
tokenizer: "JAVA %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select12 = linear_select([ | |
msg47, | |
]); | |
var msg48 = match({ | |
id: "MESSAGE#351:304001/4", | |
dissect: { | |
tokenizer: "URL %{daddr->}: %{url->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all14 = all_match({ | |
processors: [ | |
dup44, | |
dup66, | |
msg46, | |
select12, | |
msg48, | |
], | |
on_success: processor_chain([ | |
dup67, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup68, | |
dup69, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var msg49 = match({ | |
id: "MESSAGE#352:304001:01/0", | |
dissect: { | |
tokenizer: "%{saddr->} Accessed %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg50 = match({ | |
id: "MESSAGE#352:304001:01/2", | |
dissect: { | |
tokenizer: "JAVA %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select13 = linear_select([ | |
msg50, | |
]); | |
var msg51 = match({ | |
id: "MESSAGE#352:304001:01/2", | |
dissect: { | |
tokenizer: "URL %{daddr->}: %{url->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all15 = all_match({ | |
processors: [ | |
msg49, | |
select13, | |
msg51, | |
], | |
on_success: processor_chain([ | |
dup67, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup68, | |
dup69, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var select14 = linear_select([ | |
all14, | |
all15, | |
]); | |
var msg52 = match({ | |
id: "MESSAGE#545:400048", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup74, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400048"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg53 = match({ | |
id: "MESSAGE#256:212003", | |
dissect: { | |
tokenizer: "Unable to receive an %{protocol->} request on interface %{interface->}, error code = %{resultcode->}, will try again.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg54 = match({ | |
id: "MESSAGE#589:405002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg55 = match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "%{saddr->}> %{network_service->} session terminated: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all16 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg55, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716002"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session terminated"), | |
}), | |
]), | |
}); | |
var msg56 = match({ | |
id: "MESSAGE#703:507002", | |
dissect: { | |
tokenizer: "Moving connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} to non-proxy mode - %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("507002"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Moving connection"), | |
}), | |
]), | |
}); | |
var all17 = all_match({ | |
processors: [ | |
dup79, | |
dup80, | |
dup81, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715006"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg57 = match({ | |
id: "MESSAGE#993:715006:01", | |
dissect: { | |
tokenizer: "IKE got SPI from key engine: SPI = %{dst_spi->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715006:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE got SPI from key engine"), | |
}), | |
]), | |
}); | |
var select15 = linear_select([ | |
all17, | |
msg57, | |
]); | |
var msg58 = match({ | |
id: "MESSAGE#1064:717003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg59 = match({ | |
id: "MESSAGE#1086:717055", | |
dissect: { | |
tokenizer: "The \u003c\u003c%{fld1->}> certificate in the trustpoint \u003c\u003c%{cert_hostname->}> has expired. Expiration \u003c\u003c%{fld2->}> Subject Name \u003c\u003c%{cert_subject->}> Issuer Name \u003c\u003c%{dn->}> Serial Number \u003c\u003c%{serial_number->}>", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717055"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("The certificate in the trustpoint has expired."), | |
}), | |
]), | |
}); | |
var msg60 = match({ | |
id: "MESSAGE#146:109022", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109022"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg61 = match({ | |
id: "MESSAGE#413:315001", | |
dissect: { | |
tokenizer: "Denied SSH session from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied session"), | |
}), | |
]), | |
}); | |
var msg62 = match({ | |
id: "MESSAGE#530:400033", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup85, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400033"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg63 = match({ | |
id: "MESSAGE#532:400035", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400035"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg64 = match({ | |
id: "MESSAGE#1119:720021", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720021"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg65 = match({ | |
id: "MESSAGE#197:113020", | |
dissect: { | |
tokenizer: "Kerberos error : Clock skew with server %{hostip->} greater than 300 seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113020"), | |
}), | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Kerberos error"), | |
}), | |
]), | |
}); | |
var msg66 = match({ | |
id: "MESSAGE#804:702201:01/2", | |
dissect: { | |
tokenizer: "%{->}received (local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all18 = all_match({ | |
processors: [ | |
dup88, | |
dup89, | |
msg66, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702201:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup90, | |
]), | |
}); | |
var msg67 = match({ | |
id: "MESSAGE#805:702201/2", | |
dissect: { | |
tokenizer: "%{->}received (local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all19 = all_match({ | |
processors: [ | |
dup88, | |
dup89, | |
msg67, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702201"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup90, | |
]), | |
}); | |
var select16 = linear_select([ | |
all18, | |
all19, | |
]); | |
var msg68 = match({ | |
id: "MESSAGE#913:713167/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Remote peer has failed user authentication - %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all20 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg68, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713167"), | |
}), | |
dup7, | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup91, | |
]), | |
}); | |
var msg69 = match({ | |
id: "MESSAGE#914:713167:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Remote peer has failed user authentication - %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713167:01"), | |
}), | |
dup7, | |
dup17, | |
dup18, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup91, | |
]), | |
}); | |
var select17 = linear_select([ | |
all20, | |
msg69, | |
]); | |
var msg70 = match({ | |
id: "MESSAGE#1196:725009:01/0", | |
dissect: { | |
tokenizer: "Device proposes the following %{dclass_counter1->} cipher(s) to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg71 = match({ | |
id: "MESSAGE#1196:725009:01/2", | |
dissect: { | |
tokenizer: "%{->} %{interface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all21 = all_match({ | |
processors: [ | |
msg70, | |
dup92, | |
msg71, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725009:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup93, | |
set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("The number of supported ciphers"), | |
}), | |
]), | |
}); | |
var msg72 = match({ | |
id: "MESSAGE#1197:725009", | |
dissect: { | |
tokenizer: "Device proposes %{fld1->} cipher(s) to server %{interface->}:%{hostip->}/%{network_port->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup93, | |
]), | |
}); | |
var select18 = linear_select([ | |
all21, | |
msg72, | |
]); | |
var msg73 = match({ | |
id: "MESSAGE#602:408002/0", | |
dissect: { | |
tokenizer: "ospf %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg74 = match({ | |
id: "MESSAGE#602:408002/2", | |
dissect: { | |
tokenizer: "E1%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg75 = match({ | |
id: "MESSAGE#602:408002/2", | |
dissect: { | |
tokenizer: "E2%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg76 = match({ | |
id: "MESSAGE#602:408002/2", | |
dissect: { | |
tokenizer: "IA%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select19 = linear_select([ | |
msg74, | |
msg75, | |
msg76, | |
]); | |
var msg77 = match({ | |
id: "MESSAGE#602:408002/2", | |
dissect: { | |
tokenizer: "%{->}update %{stransaddr->} %{fld1->} [%{fld2->}] via %{daddr->}:%{host->} overriding conflict with %{dtransaddr->} %{fld3->} [%{fld4->}] %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all22 = all_match({ | |
processors: [ | |
msg73, | |
select19, | |
msg77, | |
], | |
on_success: processor_chain([ | |
dup94, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("408002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Ospf IA update conflict"), | |
}), | |
]), | |
}); | |
var msg78 = match({ | |
id: "MESSAGE#685:503001", | |
dissect: { | |
tokenizer: "Process %{fld1->}, Nbr %{hostip->} on %{interface->} from %{fld2->} to %{fld3->}, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup95, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("503001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg79 = match({ | |
id: "MESSAGE#756:611104", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611104"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg80 = match({ | |
id: "MESSAGE#143:109019/2", | |
dissect: { | |
tokenizer: "'%{listnum->}' has parsing error; ACE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg81 = match({ | |
id: "MESSAGE#143:109019/2", | |
dissect: { | |
tokenizer: "%{listnum->} has parsing error; ACE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select20 = linear_select([ | |
msg80, | |
msg81, | |
]); | |
var all23 = all_match({ | |
processors: [ | |
dup96, | |
select20, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109019"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("ACL has parsing error"), | |
}), | |
]), | |
}); | |
var msg82 = match({ | |
id: "MESSAGE#149:109024", | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} (%{result->}) on interface %{interface->} using %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup98, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109024"), | |
}), | |
dup65, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup100, | |
]), | |
}); | |
var msg83 = match({ | |
id: "MESSAGE#427:317005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("317005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg84 = match({ | |
id: "MESSAGE#597:450001", | |
dissect: { | |
tokenizer: "Deny traffic for protocol %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{dport->}, licensed host limit of %{fld1->} exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup101, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("450001"), | |
}), | |
dup43, | |
dup99, | |
dup102, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg85 = match({ | |
id: "MESSAGE#568:402127/0", | |
dissect: { | |
tokenizer: "CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files (%{fld2->}) allowed have been written to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg86 = match({ | |
id: "MESSAGE#568:402127/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{filename->}> . Please archive \u0026 remove files from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg87 = match({ | |
id: "MESSAGE#568:402127/2", | |
dissect: { | |
tokenizer: "'%{filename->}' . Please archive \u0026 remove files from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg88 = match({ | |
id: "MESSAGE#568:402127/2", | |
dissect: { | |
tokenizer: "%{filename->} . Please archive \u0026 remove files from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select21 = linear_select([ | |
msg86, | |
msg87, | |
msg88, | |
]); | |
var msg89 = match({ | |
id: "MESSAGE#568:402127/2", | |
dissect: { | |
tokenizer: "%{fld3->} if you want more Crypto Archive Files saved", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all24 = all_match({ | |
processors: [ | |
msg85, | |
select21, | |
msg89, | |
], | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402127"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Latest Crypto File not written"), | |
}), | |
]), | |
}); | |
var msg90 = match({ | |
id: "MESSAGE#232:202004", | |
dissect: { | |
tokenizer: "Could not build portmap translation for %{saddr->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202004"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg91 = match({ | |
id: "MESSAGE#257:212004", | |
dissect: { | |
tokenizer: "Unable to send an %{protocol->} response to IP Address %{daddr->} Port %{dport->} interface %{interface->}, error code = %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg92 = match({ | |
id: "MESSAGE#400:309004", | |
dissect: { | |
tokenizer: "Manager session limit exceeded. Connection request from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("309004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Manager session limit exceeded"), | |
}), | |
]), | |
}); | |
var msg93 = match({ | |
id: "MESSAGE#418:315005", | |
dissect: { | |
tokenizer: "SSH session limit exceeded.%{space->}Connection request from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup103, | |
]), | |
}); | |
var msg94 = match({ | |
id: "MESSAGE#170:111006/0", | |
dissect: { | |
tokenizer: "Console Login from %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg95 = match({ | |
id: "MESSAGE#170:111006/2", | |
dissect: { | |
tokenizer: "%{saddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all25 = all_match({ | |
processors: [ | |
msg94, | |
dup104, | |
msg95, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111006"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg96 = match({ | |
id: "MESSAGE#176:112001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("112001"), | |
}), | |
dup38, | |
dup108, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg97 = match({ | |
id: "MESSAGE#835:709002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg98 = match({ | |
id: "MESSAGE#1283:715071", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715071"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg99 = match({ | |
id: "MESSAGE#1211:733101/2", | |
dissect: { | |
tokenizer: "%{hostip->} is attacking%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg100 = match({ | |
id: "MESSAGE#1211:733101/2", | |
dissect: { | |
tokenizer: "%{hostip->} is targeted%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select22 = linear_select([ | |
msg99, | |
msg100, | |
]); | |
var msg101 = match({ | |
id: "MESSAGE#1211:733101/2", | |
dissect: { | |
tokenizer: ". %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all26 = all_match({ | |
processors: [ | |
dup44, | |
select22, | |
msg101, | |
], | |
on_success: processor_chain([ | |
dup109, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("733101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg102 = match({ | |
id: "MESSAGE#253:211003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("211003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg103 = match({ | |
id: "MESSAGE#367:305005", | |
dissect: { | |
tokenizer: "No translation group found for %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup110, | |
]), | |
}); | |
var msg104 = match({ | |
id: "MESSAGE#368:305005:01", | |
dissect: { | |
tokenizer: "No translation group found for icmp src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305005:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup110, | |
dup111, | |
]), | |
}); | |
var msg105 = match({ | |
id: "MESSAGE#369:305005:02", | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305005:02"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup110, | |
]), | |
}); | |
var msg106 = match({ | |
id: "MESSAGE#370:305005:03", | |
dissect: { | |
tokenizer: "No translation group found for protocol %{protocol->} src %{saddr->} dst %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305005:03"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup110, | |
]), | |
}); | |
var select23 = linear_select([ | |
msg103, | |
msg104, | |
msg105, | |
msg106, | |
]); | |
var msg107 = match({ | |
id: "MESSAGE#465:332003", | |
dissect: { | |
tokenizer: "Web Cache %{saddr->}/%{shost->} acquired", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("332003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup112, | |
]), | |
}); | |
var msg108 = match({ | |
id: "MESSAGE#506:400009", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg109 = match({ | |
id: "MESSAGE#291:302012/2", | |
dissect: { | |
tokenizer: "allocate %{network_service->} Call Signalling Connection for faddr %{saddr->}/%{sport->} to laddr %{daddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all27 = all_match({ | |
processors: [ | |
dup114, | |
dup115, | |
msg109, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302012"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup116, | |
]), | |
}); | |
var msg110 = match({ | |
id: "MESSAGE#751:610101/0", | |
dissect: { | |
tokenizer: "Authorization fail%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg111 = match({ | |
id: "MESSAGE#751:610101/2", | |
dissect: { | |
tokenizer: "%{->}: Cmd: %{action->} Cmdtype: %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all28 = all_match({ | |
processors: [ | |
msg110, | |
dup117, | |
msg111, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("610101"), | |
}), | |
dup65, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg112 = match({ | |
id: "MESSAGE#591:405102/2", | |
dissect: { | |
tokenizer: "allocate %{service->} Connection for f%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all29 = all_match({ | |
processors: [ | |
dup118, | |
dup115, | |
msg112, | |
dup119, | |
dup120, | |
dup121, | |
dup122, | |
dup123, | |
dup124, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405102"), | |
}), | |
dup2, | |
dup3, | |
dup125, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg113 = match({ | |
id: "MESSAGE#759:611303", | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with split tunneling: NAT addr: %{stransaddr->} Split Tunnel Networks:", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611303"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup127, | |
]), | |
}); | |
var msg114 = match({ | |
id: "MESSAGE#885:713119", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713119"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg115 = match({ | |
id: "MESSAGE#0:101001", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("101001"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg116 = match({ | |
id: "MESSAGE#188:113011/0", | |
dissect: { | |
tokenizer: "AAA retrieved user specific group policy %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg117 = match({ | |
id: "MESSAGE#188:113011/2", | |
dissect: { | |
tokenizer: "(%{policyname->}) for user = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg118 = match({ | |
id: "MESSAGE#188:113011/2", | |
dissect: { | |
tokenizer: "%{policyname->} for user = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select24 = linear_select([ | |
msg117, | |
msg118, | |
]); | |
var msg119 = match({ | |
id: "MESSAGE#188:113011/2", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg120 = match({ | |
id: "MESSAGE#188:113011/2", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select25 = linear_select([ | |
msg119, | |
msg120, | |
]); | |
var all30 = all_match({ | |
processors: [ | |
msg116, | |
select24, | |
select25, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA retrieved user specific group policy"), | |
}), | |
]), | |
}); | |
var msg121 = match({ | |
id: "MESSAGE#237:209002", | |
dissect: { | |
tokenizer: "IPFRAG: First Frag have not been seen %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup85, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("209002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("First Frag have not been seen"), | |
}), | |
]), | |
}); | |
var msg122 = match({ | |
id: "MESSAGE#403:311003", | |
dissect: { | |
tokenizer: "LU recv thread up%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("311003"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU recv thread"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg123 = match({ | |
id: "MESSAGE#1146:721002", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg124 = match({ | |
id: "MESSAGE#539:400042", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400042"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all31 = all_match({ | |
processors: [ | |
dup128, | |
dup129, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602202:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup131, | |
]), | |
}); | |
var all32 = all_match({ | |
processors: [ | |
dup128, | |
dup129, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602202"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup131, | |
]), | |
}); | |
var select26 = linear_select([ | |
all31, | |
all32, | |
]); | |
var msg125 = match({ | |
id: "MESSAGE#789:615002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("615002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg126 = match({ | |
id: "MESSAGE#874:713068/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, Received non-routine %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg127 = match({ | |
id: "MESSAGE#874:713068/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Received non-routine %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select27 = linear_select([ | |
msg126, | |
msg127, | |
]); | |
var msg128 = match({ | |
id: "MESSAGE#874:713068/3", | |
dissect: { | |
tokenizer: "N%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg129 = match({ | |
id: "MESSAGE#874:713068/3", | |
dissect: { | |
tokenizer: "n%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select28 = linear_select([ | |
msg128, | |
msg129, | |
]); | |
var msg130 = match({ | |
id: "MESSAGE#874:713068/3", | |
dissect: { | |
tokenizer: "otify message: %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg131 = match({ | |
id: "MESSAGE#874:713068/4", | |
dissect: { | |
tokenizer: "%{result->} (%{info->}) ", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg132 = match({ | |
id: "MESSAGE#874:713068/4", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select29 = linear_select([ | |
msg131, | |
msg132, | |
]); | |
var all33 = all_match({ | |
processors: [ | |
dup79, | |
select27, | |
select28, | |
msg130, | |
select29, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713068"), | |
}), | |
dup7, | |
dup133, | |
dup134, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received non-routine Notify message"), | |
}), | |
]), | |
}); | |
var all34 = all_match({ | |
processors: [ | |
dup44, | |
dup135, | |
dup136, | |
], | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111004"), | |
}), | |
dup38, | |
dup137, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg133 = match({ | |
id: "MESSAGE#504:400007", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all35 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup138, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg134 = match({ | |
id: "MESSAGE#961:713903:01/2", | |
dissect: { | |
tokenizer: "Group = %{group->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select30 = linear_select([ | |
msg134, | |
dup139, | |
dup140, | |
]); | |
var all36 = all_match({ | |
processors: [ | |
dup44, | |
select30, | |
dup138, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg135 = match({ | |
id: "MESSAGE#962:713903:02", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{action->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg136 = match({ | |
id: "MESSAGE#963:713903:03/0", | |
dissect: { | |
tokenizer: "%{event_description->} on Port %{network_port->} from %{saddr->}:%{sport->} ", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select31 = linear_select([ | |
msg136, | |
dup141, | |
]); | |
var all37 = all_match({ | |
processors: [ | |
select31, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713903:03"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Runt ISAKMP packet discarded on Port"), | |
}), | |
]), | |
}); | |
var select32 = linear_select([ | |
all35, | |
all36, | |
msg135, | |
all37, | |
]); | |
var msg137 = match({ | |
id: "MESSAGE#1259:746013", | |
dissect: { | |
tokenizer: "%{application->}: Delete IP-User mapping %{saddr->} - %{domain->}\\%{username->} Succeeded - %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup142, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746013"), | |
}), | |
dup17, | |
dup143, | |
dup40, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup144, | |
]), | |
}); | |
var msg138 = match({ | |
id: "MESSAGE#1260:746013:01", | |
dissect: { | |
tokenizer: "%{application->}: Delete IP-User mapping %{saddr->} - %{domain->}\\%{username->} Failed - VPN user logout", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup142, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746013:01"), | |
}), | |
dup17, | |
dup143, | |
dup19, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("VPN user logout"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: dup145, | |
}), | |
]), | |
}); | |
var select33 = linear_select([ | |
msg137, | |
msg138, | |
]); | |
var msg139 = match({ | |
id: "MESSAGE#313:302016:05/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{duration->} bytes %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg140 = match({ | |
id: "MESSAGE#313:302016:05/3", | |
dissect: { | |
tokenizer: "%{bytes->} (%{username->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg141 = match({ | |
id: "MESSAGE#313:302016:05/3", | |
dissect: { | |
tokenizer: "%{bytes->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select34 = linear_select([ | |
msg140, | |
msg141, | |
]); | |
var all38 = all_match({ | |
processors: [ | |
dup146, | |
dup147, | |
msg139, | |
select34, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:05"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg142 = match({ | |
id: "MESSAGE#314:302016:07/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->}(%{fld1->}) to %{dinterface->}:%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{duration->} bytes %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all39 = all_match({ | |
processors: [ | |
msg142, | |
dup150, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:07"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg143 = match({ | |
id: "MESSAGE#315:302016:04/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{duration->} bytes %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all40 = all_match({ | |
processors: [ | |
msg143, | |
dup150, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:04"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg144 = match({ | |
id: "MESSAGE#316:302016:06/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{fld20->}) duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select35 = linear_select([ | |
dup153, | |
msg144, | |
]); | |
var msg145 = match({ | |
id: "MESSAGE#316:302016:06/4", | |
dissect: { | |
tokenizer: "%{duration->} bytes %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg146 = match({ | |
id: "MESSAGE#316:302016:06/5", | |
dissect: { | |
tokenizer: "%{bytes->} '%{username->}' ", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg147 = match({ | |
id: "MESSAGE#316:302016:06/5", | |
dissect: { | |
tokenizer: "%{bytes->} (%{username->}) ", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg148 = match({ | |
id: "MESSAGE#316:302016:06/5", | |
dissect: { | |
tokenizer: "%{bytes->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select36 = linear_select([ | |
msg146, | |
msg147, | |
msg148, | |
]); | |
var all41 = all_match({ | |
processors: [ | |
dup146, | |
dup151, | |
dup152, | |
select35, | |
msg145, | |
select36, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:06"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var select37 = linear_select([ | |
dup153, | |
dup154, | |
]); | |
var msg149 = match({ | |
id: "MESSAGE#317:302016/4", | |
dissect: { | |
tokenizer: "%{duration->} bytes %{bytes->} %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg150 = match({ | |
id: "MESSAGE#317:302016/6", | |
dissect: { | |
tokenizer: "'%{username->}'%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg151 = match({ | |
id: "MESSAGE#317:302016/6", | |
dissect: { | |
tokenizer: "(%{username->})%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select38 = linear_select([ | |
msg150, | |
msg151, | |
]); | |
var msg152 = match({ | |
id: "MESSAGE#317:302016/6", | |
dissect: { | |
tokenizer: "%{->} ", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all42 = all_match({ | |
processors: [ | |
dup146, | |
dup151, | |
dup152, | |
select37, | |
msg149, | |
select38, | |
msg152, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg153 = match({ | |
id: "MESSAGE#318:302016:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{fld20->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select39 = linear_select([ | |
dup155, | |
msg153, | |
dup156, | |
]); | |
var msg154 = match({ | |
id: "MESSAGE#318:302016:01/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{c_username->}) duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select40 = linear_select([ | |
dup153, | |
msg154, | |
dup154, | |
]); | |
var msg155 = match({ | |
id: "MESSAGE#318:302016:01/4", | |
dissect: { | |
tokenizer: "%{duration->} bytes %{bytes->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all43 = all_match({ | |
processors: [ | |
dup146, | |
select39, | |
dup152, | |
select40, | |
msg155, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg156 = match({ | |
id: "MESSAGE#319:302016:02", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->} %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} %{dinterface->} %{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg157 = match({ | |
id: "MESSAGE#320:302016:03", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection for %{sinterface->} %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} %{dinterface->} %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302016:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
]), | |
}); | |
var select41 = linear_select([ | |
all38, | |
all39, | |
all40, | |
all41, | |
all42, | |
all43, | |
msg156, | |
msg157, | |
]); | |
var msg158 = match({ | |
id: "MESSAGE#389:306001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("306001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg159 = match({ | |
id: "MESSAGE#864:713042", | |
dissect: { | |
tokenizer: "IKE Initiator unable to find policy: Intf %{interface->}, Src: %{saddr->}, Dst: %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713042"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all44 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
dup158, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722029"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup159, | |
]), | |
}); | |
var msg160 = match({ | |
id: "MESSAGE#1083:717037", | |
dissect: { | |
tokenizer: "Tunnel group search using certificate maps failed for peer certificate: serial number: %{serial_number->}, subject name: %{cert_subject->} issuer_name: %{dn->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717037"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg161 = match({ | |
id: "MESSAGE#19:103007", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg162 = match({ | |
id: "MESSAGE#508:400011", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg163 = match({ | |
id: "MESSAGE#550:401002/1", | |
dissect: { | |
tokenizer: "%{->}added: %{result->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg164 = match({ | |
id: "MESSAGE#550:401002/1", | |
dissect: { | |
tokenizer: "s added %{->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select42 = linear_select([ | |
msg163, | |
msg164, | |
]); | |
var all45 = all_match({ | |
processors: [ | |
dup162, | |
select42, | |
], | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401002"), | |
}), | |
dup164, | |
dup38, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shun(s) added"), | |
}), | |
]), | |
}); | |
var msg165 = match({ | |
id: "MESSAGE#1014:715041", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->} of type %{event_description->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715041"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg166 = match({ | |
id: "MESSAGE#1069:717008", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg167 = match({ | |
id: "MESSAGE#1303:717041", | |
dissect: { | |
tokenizer: "Local CA Server event: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717041"), | |
}), | |
dup14, | |
dup2, | |
dup5, | |
dup3, | |
]), | |
}); | |
var msg168 = match({ | |
id: "MESSAGE#16:103004", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup1, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup167, | |
]), | |
}); | |
var msg169 = match({ | |
id: "MESSAGE#583:403504", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403504"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg170 = match({ | |
id: "MESSAGE#1011:715039/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{event_description->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all46 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg170, | |
], | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715039"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg171 = match({ | |
id: "MESSAGE#1012:715039:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715039:01"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select43 = linear_select([ | |
all46, | |
msg171, | |
]); | |
var msg172 = match({ | |
id: "MESSAGE#1150:721012", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) Enable APCF XML file path %{filename->} on the standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Enable APCF XML file path on standby unit"), | |
}), | |
]), | |
}); | |
var all47 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
dup168, | |
], | |
on_success: processor_chain([ | |
dup169, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("724004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg173 = match({ | |
id: "MESSAGE#36:105011", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105011"), | |
}), | |
dup2, | |
dup3, | |
dup167, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg174 = match({ | |
id: "MESSAGE#248:210010", | |
dissect: { | |
tokenizer: "LU make UDP connection for %{saddr->}:%{sport->} %{daddr->}:%{dport->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate a new record for a UDP connection"), | |
}), | |
dup170, | |
]), | |
}); | |
var msg175 = match({ | |
id: "MESSAGE#902:713136/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}' , IP = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg176 = match({ | |
id: "MESSAGE#902:713136/1", | |
dissect: { | |
tokenizer: "%{->}Group = %{group->}, Username = %{username->} , IP = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg177 = match({ | |
id: "MESSAGE#902:713136/1", | |
dissect: { | |
tokenizer: "%{->}Group = %{group->}, IP = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select44 = linear_select([ | |
msg175, | |
msg176, | |
msg177, | |
]); | |
var msg178 = match({ | |
id: "MESSAGE#902:713136/1", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} [%{fld1->}]", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all48 = all_match({ | |
processors: [ | |
select44, | |
msg178, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713136"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg179 = match({ | |
id: "MESSAGE#1044:715080", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}: %{duration->} seconds.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715080"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg180 = match({ | |
id: "MESSAGE#14:120012/0", | |
dissect: { | |
tokenizer: "User \"%{username->}\" chose to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg181 = match({ | |
id: "MESSAGE#14:120012/2", | |
dissect: { | |
tokenizer: "disabl%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg182 = match({ | |
id: "MESSAGE#14:120012/2", | |
dissect: { | |
tokenizer: "postpon%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select45 = linear_select([ | |
msg181, | |
msg182, | |
]); | |
var msg183 = match({ | |
id: "MESSAGE#14:120012/2", | |
dissect: { | |
tokenizer: "e call-home anonymous reporting at the prompt.%{->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all49 = all_match({ | |
processors: [ | |
msg180, | |
select45, | |
msg183, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120012"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User chose to disable or postpone call-home anonymous reporting"), | |
}), | |
]), | |
}); | |
var msg184 = match({ | |
id: "MESSAGE#393:307003", | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr->} (%{result->}) on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307003"), | |
}), | |
dup43, | |
dup106, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup172, | |
]), | |
}); | |
var msg185 = match({ | |
id: "MESSAGE#394:307003:01", | |
dissect: { | |
tokenizer: "telnet login session failed from %{saddr->} (%{result->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307003:01"), | |
}), | |
dup43, | |
dup106, | |
dup18, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup172, | |
]), | |
}); | |
var select46 = linear_select([ | |
msg184, | |
msg185, | |
]); | |
var msg186 = match({ | |
id: "MESSAGE#723:603104/0", | |
dissect: { | |
tokenizer: "PPTP Tunnel created, tunnel_id is %{fld1->}, remote_peer_ip is %{saddr->}, ppp_virtual_interface_id is %{fld2->}, client_dynamic_ip is %{daddr->}, username is %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg187 = match({ | |
id: "MESSAGE#723:603104/2", | |
dissect: { | |
tokenizer: "'%{username->}' , MPPE_key_strength is %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg188 = match({ | |
id: "MESSAGE#723:603104/2", | |
dissect: { | |
tokenizer: "%{username->} , MPPE_key_strength is %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select47 = linear_select([ | |
msg187, | |
msg188, | |
]); | |
var msg189 = match({ | |
id: "MESSAGE#723:603104/2", | |
dissect: { | |
tokenizer: "%{fld3->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all50 = all_match({ | |
processors: [ | |
msg186, | |
select47, | |
msg189, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603104"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP Tunnel created"), | |
}), | |
]), | |
}); | |
var msg190 = match({ | |
id: "MESSAGE#1123:720027", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720027"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg191 = match({ | |
id: "MESSAGE#1024:715052/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->}, Old P1 SA is being deleted but new SA is DEAD, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg192 = match({ | |
id: "MESSAGE#1024:715052/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{saddr->}, Old P1 SA is being deleted but new SA is DEAD, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select48 = linear_select([ | |
msg191, | |
msg192, | |
]); | |
var all51 = all_match({ | |
processors: [ | |
dup9, | |
select48, | |
dup173, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715052"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Old P1 SA is being deleted but new SA is DEAD"), | |
}), | |
]), | |
}); | |
var msg193 = match({ | |
id: "MESSAGE#1084:717039", | |
dissect: { | |
tokenizer: "Local CA Server internal error detected: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717039"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Local CA Server internal error detected"), | |
}), | |
]), | |
}); | |
var msg194 = match({ | |
id: "MESSAGE#1108:718069", | |
dissect: { | |
tokenizer: "Stop VPN Load Balancing in context %{context->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718069"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Stop VPN Load Balancing"), | |
}), | |
]), | |
}); | |
var msg195 = match({ | |
id: "MESSAGE#109:107001:01", | |
dissect: { | |
tokenizer: "%{saddr->} attempted to ping %{daddr->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("107001:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
]), | |
}); | |
var msg196 = match({ | |
id: "MESSAGE#110:107001", | |
dissect: { | |
tokenizer: "RIP auth failed from %{saddr->}: version=%{fld1->}, type=%{fld2->}, mode=%{fld3->}, sequence=%{fld4->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("107001"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RIP auth failure"), | |
}), | |
]), | |
}); | |
var select49 = linear_select([ | |
msg195, | |
msg196, | |
]); | |
var msg197 = match({ | |
id: "MESSAGE#607:409005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg198 = match({ | |
id: "MESSAGE#918:713184/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Client Type: %{product->} Client Application Version: %{version->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all52 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg198, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713184"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg199 = match({ | |
id: "MESSAGE#919:713184:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Client Type: %{product->} Client Application Version: %{version->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713184:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select50 = linear_select([ | |
all52, | |
msg199, | |
]); | |
var msg200 = match({ | |
id: "MESSAGE#970:713905:04", | |
dissect: { | |
tokenizer: "IKE port %{network_port->} for IPSec UDP already reserved on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:04"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE port for IPSec UDP already reserved on interface"), | |
}), | |
]), | |
}); | |
var all53 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup174, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg201 = match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "%{event_description->} from %{fld1->} port %{sport->} to %{daddr->} port %{dport->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg202 = match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select51 = linear_select([ | |
msg201, | |
msg202, | |
]); | |
var all54 = all_match({ | |
processors: [ | |
dup44, | |
dup175, | |
select51, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg203 = match({ | |
id: "MESSAGE#973:713905:02", | |
dissect: { | |
tokenizer: "INFO: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:02"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var all55 = all_match({ | |
processors: [ | |
dup176, | |
dup23, | |
dup174, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713905:03"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var select52 = linear_select([ | |
msg200, | |
all53, | |
all54, | |
msg203, | |
all55, | |
]); | |
var msg204 = match({ | |
id: "MESSAGE#227:201013", | |
dissect: { | |
tokenizer: "Per-client connection limit exceeded %{fld1->}/%{fld2->} for %{direction->} packet from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup177, | |
]), | |
}); | |
var msg205 = match({ | |
id: "MESSAGE#238:209003", | |
dissect: { | |
tokenizer: "Fragment database limit of %{fld1->} exceeded: %{space->} src = %{saddr->}, %{space->} dest = %{daddr->}, proto = %{protocol->}, id = %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("209003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Fragment database limit exceeded"), | |
}), | |
]), | |
}); | |
var msg206 = match({ | |
id: "MESSAGE#1162:722025", | |
dissect: { | |
tokenizer: "SVC Global Compression Disabled%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722025"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg207 = match({ | |
id: "MESSAGE#525:400028", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup109, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400028"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg208 = match({ | |
id: "MESSAGE#541:400044", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400044"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg209 = match({ | |
id: "MESSAGE#1050:716009", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{hostip->}> %{result->}. ACL parse error", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ACL parse error"), | |
}), | |
]), | |
}); | |
var msg210 = match({ | |
id: "MESSAGE#1132:720039", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720039"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg211 = match({ | |
id: "MESSAGE#111:107002", | |
dissect: { | |
tokenizer: "RIP pkt failed from %{saddr->}: version=%{fld1->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("107002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RIP packet failure"), | |
}), | |
]), | |
}); | |
var msg212 = match({ | |
id: "MESSAGE#147:109023", | |
dissect: { | |
tokenizer: "User from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->} using %{protocol->} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109023"), | |
}), | |
dup17, | |
dup18, | |
dup178, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup100, | |
]), | |
}); | |
var msg213 = match({ | |
id: "MESSAGE#148:109023:01", | |
dissect: { | |
tokenizer: "User from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->} must authenticate before using this service", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109023:01"), | |
}), | |
dup17, | |
dup18, | |
dup178, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup100, | |
]), | |
}); | |
var select53 = linear_select([ | |
msg212, | |
msg213, | |
]); | |
var msg214 = match({ | |
id: "MESSAGE#150:109025/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->} using %{protocol->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all56 = all_match({ | |
processors: [ | |
dup179, | |
dup61, | |
msg214, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109025"), | |
}), | |
dup65, | |
dup17, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup100, | |
]), | |
}); | |
var msg215 = match({ | |
id: "MESSAGE#1282:713177", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Received remote Proxy Host FQDN in ID Payload: Host Name: %{hostname->} Address %{hostip->}, Protocol %{protocol->}, Port %{sport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713177"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received remote Proxy Host"), | |
}), | |
]), | |
}); | |
var msg216 = match({ | |
id: "MESSAGE#745:608001:01", | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1->} secondary channel for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->} from %{info->} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("608001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg217 = match({ | |
id: "MESSAGE#746:608001", | |
dissect: { | |
tokenizer: "Pre-allocate Skinny %{fld1->} secondary channel for %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->}/%{dport->} from %{info->} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("608001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select54 = linear_select([ | |
msg216, | |
msg217, | |
]); | |
var msg218 = match({ | |
id: "MESSAGE#1172:722037/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > SVC closing connection: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg219 = match({ | |
id: "MESSAGE#1172:722037/3", | |
dissect: { | |
tokenizer: "%{saddr->} > SVC closing connection: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select55 = linear_select([ | |
msg218, | |
msg219, | |
]); | |
var msg220 = match({ | |
id: "MESSAGE#1172:722037/3", | |
dissect: { | |
tokenizer: "%{info->}.", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all57 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select55, | |
msg220, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722037"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("closing connection"), | |
}), | |
]), | |
}); | |
var msg221 = match({ | |
id: "MESSAGE#1181:722055/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> Client Type: %{application->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg222 = match({ | |
id: "MESSAGE#1181:722055/1", | |
dissect: { | |
tokenizer: "for %{product->} %{version->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg223 = match({ | |
id: "MESSAGE#1181:722055/1", | |
dissect: { | |
tokenizer: "v%{version->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select56 = linear_select([ | |
msg222, | |
msg223, | |
]); | |
var all58 = all_match({ | |
processors: [ | |
msg221, | |
select56, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722055"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg224 = match({ | |
id: "MESSAGE#475:338005/2", | |
dissect: { | |
tokenizer: "ilter dropped blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all59 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg224, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338005"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg225 = match({ | |
id: "MESSAGE#537:400040", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup109, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400040"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg226 = match({ | |
id: "MESSAGE#949:713255", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Received %{protocol->} Aggressive Mode message %{fld1->} with unknown tunnel group name '%{group->}'.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713255"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg227 = match({ | |
id: "MESSAGE#842:710001", | |
dissect: { | |
tokenizer: "%{protocol->} access requested from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{service->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710001"), | |
}), | |
dup42, | |
dup43, | |
set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Request"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access requested"), | |
}), | |
]), | |
}); | |
var msg228 = match({ | |
id: "MESSAGE#371:305006:02", | |
dissect: { | |
tokenizer: "%{service->} translation creation failed for protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305006:02"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("translation creation failed for protocol"), | |
}), | |
]), | |
}); | |
var msg229 = match({ | |
id: "MESSAGE#372:305006", | |
dissect: { | |
tokenizer: "%{service->} translation creation failed for %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305006"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup185, | |
]), | |
}); | |
var msg230 = match({ | |
id: "MESSAGE#373:305006:01", | |
dissect: { | |
tokenizer: "%{service->} translation creation failed for icmp src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305006:01"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup111, | |
dup185, | |
]), | |
}); | |
var select57 = linear_select([ | |
msg228, | |
msg229, | |
msg230, | |
]); | |
var msg231 = match({ | |
id: "MESSAGE#1168:722032/2", | |
dissect: { | |
tokenizer: "%{saddr->}> New %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg232 = match({ | |
id: "MESSAGE#1168:722032/4", | |
dissect: { | |
tokenizer: "%{protocol->} %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select58 = linear_select([ | |
msg232, | |
]); | |
var msg233 = match({ | |
id: "MESSAGE#1168:722032/4", | |
dissect: { | |
tokenizer: "SVC connection replacing old connection.%{->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all60 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg231, | |
select58, | |
msg233, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722032"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("replacing old connection"), | |
}), | |
]), | |
}); | |
var msg234 = match({ | |
id: "MESSAGE#1239:737014", | |
dissect: { | |
tokenizer: "%{process->}: Freeing AAA address %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Freeing AAA address"), | |
}), | |
]), | |
}); | |
var msg235 = match({ | |
id: "MESSAGE#512:400015", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400015"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg236 = match({ | |
id: "MESSAGE#664:421006", | |
dissect: { | |
tokenizer: "There are %{fld1->} users of %{product->} during the past %{fld2->} hours", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup186, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("421006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg237 = match({ | |
id: "MESSAGE#736:605004/0", | |
dissect: { | |
tokenizer: "Login denied from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{service->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all61 = all_match({ | |
processors: [ | |
msg237, | |
dup187, | |
], | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605004"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup188, | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: dup188, | |
}), | |
]), | |
}); | |
var msg238 = match({ | |
id: "MESSAGE#737:605004:01/0", | |
dissect: { | |
tokenizer: "%{action->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all62 = all_match({ | |
processors: [ | |
msg238, | |
dup187, | |
], | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605004:01"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select59 = linear_select([ | |
all61, | |
all62, | |
]); | |
var msg239 = match({ | |
id: "MESSAGE#1151:721016/2", | |
dissect: { | |
tokenizer: "%{saddr->} has been created.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all63 = all_match({ | |
processors: [ | |
dup189, | |
dup190, | |
msg239, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721016"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session created"), | |
}), | |
]), | |
}); | |
var msg240 = match({ | |
id: "MESSAGE#130:109009", | |
dissect: { | |
tokenizer: "Authorization denied from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} (not authenticated)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup98, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109009"), | |
}), | |
dup17, | |
dup99, | |
dup65, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup191, | |
]), | |
}); | |
var msg241 = match({ | |
id: "MESSAGE#321:302017", | |
dissect: { | |
tokenizer: "Built inbound GRE connection %{connectionid->} from %{sinterface->}:%{saddr->} (%{stransaddr->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302017"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg242 = match({ | |
id: "MESSAGE#322:302017:01", | |
dissect: { | |
tokenizer: "Built outbound GRE connection %{connectionid->} from %{dinterface->}:%{daddr->} (%{dtransaddr->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302017:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var select60 = linear_select([ | |
msg241, | |
msg242, | |
]); | |
var msg243 = match({ | |
id: "MESSAGE#398:309001", | |
dissect: { | |
tokenizer: "Denied manager connection from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("309001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied manager connection"), | |
}), | |
]), | |
}); | |
var msg244 = match({ | |
id: "MESSAGE#429:318002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg245 = match({ | |
id: "MESSAGE#1188:725003/0", | |
dissect: { | |
tokenizer: "SSL client %{interface->}:%{hostip->}/%{network_port->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg246 = match({ | |
id: "MESSAGE#1188:725003/1", | |
dissect: { | |
tokenizer: "to %{daddr->}/%{dport->} %{action->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg247 = match({ | |
id: "MESSAGE#1188:725003/1", | |
dissect: { | |
tokenizer: "%{action->}.", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select61 = linear_select([ | |
msg246, | |
msg247, | |
]); | |
var all64 = all_match({ | |
processors: [ | |
msg245, | |
select61, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg248 = match({ | |
id: "MESSAGE#1288:752006", | |
dissect: { | |
tokenizer: "Tunnel Manager failed to dispatch a %{fld1->} message. Probable mis-configuration of the crypto map or tunnel-group. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752006"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel Manager failed to dispatch a message. Probable mis-configuration of the crypto map or tunnel-group"), | |
}), | |
]), | |
}); | |
var msg249 = match({ | |
id: "MESSAGE#661:421001", | |
dissect: { | |
tokenizer: "TCP flow from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} is skipped because %{application->} has failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("421001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP flow skipped"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("process failure"), | |
}), | |
]), | |
}); | |
var msg250 = match({ | |
id: "MESSAGE#901:713134", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Mismatch: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713134"), | |
}), | |
dup7, | |
dup38, | |
dup39, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("algorithm mismatch"), | |
}), | |
]), | |
}); | |
var msg251 = match({ | |
id: "MESSAGE#44:105036", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->} %{fld1->}, seq = %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup195, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105036"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg252 = match({ | |
id: "MESSAGE#45:105036:01", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup195, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105036:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select62 = linear_select([ | |
msg251, | |
msg252, | |
]); | |
var msg253 = match({ | |
id: "MESSAGE#80:106015", | |
dissect: { | |
tokenizer: "Deny %{protocol->} (no connection) from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} flags %{fld1->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106015"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg254 = match({ | |
id: "MESSAGE#81:106015:01", | |
dissect: { | |
tokenizer: "Deny %{protocol->} (no connection) from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} flags %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106015:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select63 = linear_select([ | |
msg253, | |
msg254, | |
]); | |
var msg255 = match({ | |
id: "MESSAGE#104:106102:02/0", | |
dissect: { | |
tokenizer: "access-list %{listnum->} denied %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all65 = all_match({ | |
processors: [ | |
msg255, | |
dup197, | |
dup198, | |
dup199, | |
dup200, | |
dup201, | |
dup202, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106102:02"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup203, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("deny"), | |
}), | |
]), | |
}); | |
var msg256 = match({ | |
id: "MESSAGE#105:106102:01/0", | |
dissect: { | |
tokenizer: "access-list %{listnum->} permitted %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all66 = all_match({ | |
processors: [ | |
msg256, | |
dup197, | |
dup198, | |
dup199, | |
dup200, | |
dup201, | |
dup202, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106102:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup203, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permit"), | |
}), | |
]), | |
}); | |
var msg257 = match({ | |
id: "MESSAGE#106:106102", | |
dissect: { | |
tokenizer: "access-list %{listnum->} url %{url->} hit-cnt %{dclass_counter1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106102"), | |
}), | |
dup2, | |
dup3, | |
dup203, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select64 = linear_select([ | |
all65, | |
all66, | |
msg257, | |
]); | |
var msg258 = match({ | |
id: "MESSAGE#587:404102", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup85, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("404102"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg259 = match({ | |
id: "MESSAGE#1241:737016", | |
dissect: { | |
tokenizer: "%{process->}: Freeing local pool address %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737016"), | |
}), | |
dup2, | |
dup3, | |
dup205, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg260 = match({ | |
id: "MESSAGE#1242:737016:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, Freeing local pool address %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737016:01"), | |
}), | |
dup2, | |
dup3, | |
dup205, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select65 = linear_select([ | |
msg259, | |
msg260, | |
]); | |
var msg261 = match({ | |
id: "MESSAGE#643:415010", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP protocol violation detected - %{listnum->} HTTP Protocol not detected from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP protocol violation detected"), | |
}), | |
]), | |
}); | |
var msg262 = match({ | |
id: "MESSAGE#653:419001", | |
dissect: { | |
tokenizer: "%{action->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("419001"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg263 = match({ | |
id: "MESSAGE#691:505002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg264 = match({ | |
id: "MESSAGE#1114:720005", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720005"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg265 = match({ | |
id: "MESSAGE#431:318004", | |
dissect: { | |
tokenizer: "area %{fld1->} lsid %{fld2->} mask %{fld3->} adv %{fld4->} type %{fld5->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select66 = linear_select([ | |
dup208, | |
dup209, | |
dup210, | |
]); | |
var msg266 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "%{action->} history (%{fld1->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all67 = all_match({ | |
processors: [ | |
dup44, | |
select66, | |
msg266, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715065"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg267 = match({ | |
id: "MESSAGE#1216:734003:01/2", | |
dissect: { | |
tokenizer: "%{hostip->}: Session Attribute endpoint.device.hostname=\"%{hostname->}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all68 = all_match({ | |
processors: [ | |
dup211, | |
dup212, | |
msg267, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg268 = match({ | |
id: "MESSAGE#1217:734003:02/2", | |
dissect: { | |
tokenizer: "%{hostip->}: Session Attribute endpoint.device.MAC[\"%{macaddr->}\"]=\"%{fld2->}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all69 = all_match({ | |
processors: [ | |
dup211, | |
dup212, | |
msg268, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:02"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg269 = match({ | |
id: "MESSAGE#1218:734003:03/2", | |
dissect: { | |
tokenizer: "%{hostip->}: Session Attribute endpoint.os.version=\"%{version->}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all70 = all_match({ | |
processors: [ | |
dup211, | |
dup212, | |
msg269, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003:03"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg270 = match({ | |
id: "MESSAGE#1219:734003/2", | |
dissect: { | |
tokenizer: "%{hostip->}: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all71 = all_match({ | |
processors: [ | |
dup211, | |
dup212, | |
msg270, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734003"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Session Attribute assignment"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var select67 = linear_select([ | |
all68, | |
all69, | |
all70, | |
all71, | |
]); | |
var msg271 = match({ | |
id: "MESSAGE#771:611315", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611315"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg272 = match({ | |
id: "MESSAGE#838:709005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709005"), | |
}), | |
dup38, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg273 = match({ | |
id: "MESSAGE#37:105020", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105020"), | |
}), | |
dup38, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg274 = match({ | |
id: "MESSAGE#474:338004/4", | |
dissect: { | |
tokenizer: "ed blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{fld3->} /%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg275 = match({ | |
id: "MESSAGE#474:338004/6", | |
dissect: { | |
tokenizer: "%{mask->}, threat-level: %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg276 = match({ | |
id: "MESSAGE#474:338004/6", | |
dissect: { | |
tokenizer: "%{mask->} threat-level: %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select68 = linear_select([ | |
msg275, | |
msg276, | |
]); | |
var msg277 = match({ | |
id: "MESSAGE#474:338004/6", | |
dissect: { | |
tokenizer: "%{severity->}, category: %{result->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all72 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup213, | |
dup214, | |
msg274, | |
select68, | |
msg277, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338004"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg278 = match({ | |
id: "MESSAGE#681:502102/0", | |
dissect: { | |
tokenizer: "User deleted from local dbase: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all73 = all_match({ | |
processors: [ | |
msg278, | |
dup215, | |
dup216, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020100"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502102"), | |
}), | |
dup17, | |
dup108, | |
dup217, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User deleted from local DB"), | |
}), | |
]), | |
}); | |
var msg279 = match({ | |
id: "MESSAGE#706:602101/0", | |
dissect: { | |
tokenizer: "PMTU-D packet %{fld1->} byte%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select69 = linear_select([ | |
dup218, | |
]); | |
var msg280 = match({ | |
id: "MESSAGE#706:602101/2", | |
dissect: { | |
tokenizer: "%{->}greater than effective mtu %{fld2->} dest_addr=%{daddr->}, src_addr=%{saddr->}, prot=%{protocol->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all74 = all_match({ | |
processors: [ | |
msg279, | |
select69, | |
msg280, | |
], | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602101"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PMTU-D packet bytes greater than effective mtu"), | |
}), | |
]), | |
}); | |
var msg281 = match({ | |
id: "MESSAGE#1254:746001", | |
dissect: { | |
tokenizer: "%{application->}: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746001"), | |
}), | |
dup3, | |
]), | |
}); | |
var msg282 = match({ | |
id: "MESSAGE#292:302013:07", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->})(%{domain->}\\%{fld3->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})(%{ddomain->}\\%{c_username->}) (%{username->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:07"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg283 = match({ | |
id: "MESSAGE#293:302013/2", | |
dissect: { | |
tokenizer: "to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}) %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg284 = match({ | |
id: "MESSAGE#293:302013/4", | |
dissect: { | |
tokenizer: "'%{username->}'%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg285 = match({ | |
id: "MESSAGE#293:302013/4", | |
dissect: { | |
tokenizer: "(%{username->})%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select70 = linear_select([ | |
msg284, | |
msg285, | |
]); | |
var msg286 = match({ | |
id: "MESSAGE#293:302013/4", | |
dissect: { | |
tokenizer: "%{->} ", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all75 = all_match({ | |
processors: [ | |
dup219, | |
dup220, | |
msg283, | |
select70, | |
msg286, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var all76 = all_match({ | |
processors: [ | |
dup221, | |
dup222, | |
dup223, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:01"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var msg287 = match({ | |
id: "MESSAGE#295:302013:02/2", | |
dissect: { | |
tokenizer: "%{stransport->})(%{domain->}\\%{username->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select71 = linear_select([ | |
msg287, | |
dup224, | |
]); | |
var msg288 = match({ | |
id: "MESSAGE#295:302013:02/2", | |
dissect: { | |
tokenizer: "%{->}to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all77 = all_match({ | |
processors: [ | |
dup219, | |
select71, | |
msg288, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:02"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg289 = match({ | |
id: "MESSAGE#296:302013:03/0", | |
dissect: { | |
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg290 = match({ | |
id: "MESSAGE#296:302013:03/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{fld1->} :%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg291 = match({ | |
id: "MESSAGE#296:302013:03/2", | |
dissect: { | |
tokenizer: "%{dinterface->} :%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select72 = linear_select([ | |
msg290, | |
msg291, | |
]); | |
var msg292 = match({ | |
id: "MESSAGE#296:302013:03/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}) to %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg293 = match({ | |
id: "MESSAGE#296:302013:03/4", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{fld2->}:%{saddr->}/%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg294 = match({ | |
id: "MESSAGE#296:302013:03/4", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{saddr->}/%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select73 = linear_select([ | |
msg293, | |
msg294, | |
]); | |
var msg295 = match({ | |
id: "MESSAGE#296:302013:03/4", | |
dissect: { | |
tokenizer: "%{sport->} (%{stransaddr->}/%{stransport->})", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all78 = all_match({ | |
processors: [ | |
msg289, | |
select72, | |
msg292, | |
select73, | |
msg295, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:03"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var msg296 = match({ | |
id: "MESSAGE#297:302013:04", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->} %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} %{dinterface->} %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:04"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg297 = match({ | |
id: "MESSAGE#298:302013:05", | |
dissect: { | |
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{dinterface->} %{daddr->}/%{dport->} gaddr %{hostip->}/%{network_port->} %{sinterface->} %{saddr->}/%{sport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:05"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var msg298 = match({ | |
id: "MESSAGE#299:302013:06/0", | |
dissect: { | |
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{dinterface->} :%{daddr->}/%{dport->} (%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select74 = linear_select([ | |
dup225, | |
dup226, | |
]); | |
var all79 = all_match({ | |
processors: [ | |
msg298, | |
select74, | |
dup227, | |
dup228, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:06"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var msg299 = match({ | |
id: "MESSAGE#300:302013:09", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})(%{domain->}\\%{username->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:09"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg300 = match({ | |
id: "MESSAGE#301:302013:08", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->})(%{fld->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302013:08"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var select75 = linear_select([ | |
msg282, | |
all75, | |
all76, | |
all77, | |
all78, | |
msg296, | |
msg297, | |
all79, | |
msg299, | |
msg300, | |
]); | |
var msg301 = match({ | |
id: "MESSAGE#361:304009", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg302 = match({ | |
id: "MESSAGE#614:409012", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg303 = match({ | |
id: "MESSAGE#638:415006", | |
dissect: { | |
tokenizer: "%{sigid->} Content size %{priority->} out of range - %{listnum->} %{protocol->} from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Content size out of range"), | |
}), | |
]), | |
}); | |
var msg304 = match({ | |
id: "MESSAGE#159:110001", | |
dissect: { | |
tokenizer: "No route to %{daddr->} from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup229, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg305 = match({ | |
id: "MESSAGE#472:338002/4", | |
dissect: { | |
tokenizer: "ed blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all80 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup213, | |
dup214, | |
msg305, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338002"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg306 = match({ | |
id: "MESSAGE#1287:113034/2", | |
dissect: { | |
tokenizer: "%{hostip->}> User ACL \u003c\u003c%{info->}> from AAA ignored, AV-PAIR ACL used instead", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all81 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg306, | |
], | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113034"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("specified ACL was not used because a Cisco AV-PAIR ACL was used"), | |
}), | |
]), | |
}); | |
var msg307 = match({ | |
id: "MESSAGE#484:338202/4", | |
dissect: { | |
tokenizer: "ed greylisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all82 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup230, | |
dup214, | |
msg307, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338202"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg308 = match({ | |
id: "MESSAGE#889:713123:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713123:01"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup231, | |
]), | |
}); | |
var msg309 = match({ | |
id: "MESSAGE#890:713123", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKE lost contact with remote peer, deleting connection (keepalive type: %{fld1->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713123"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup231, | |
]), | |
}); | |
var select76 = linear_select([ | |
msg308, | |
msg309, | |
]); | |
var msg310 = match({ | |
id: "MESSAGE#1068:717007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg311 = match({ | |
id: "MESSAGE#1112:720003", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720003"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg312 = match({ | |
id: "MESSAGE#51:105042", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105042"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg313 = match({ | |
id: "MESSAGE#862:713041/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , IKE Initiator: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg314 = match({ | |
id: "MESSAGE#862:713041/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}', IP = %{saddr->} , IKE Initiator: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg315 = match({ | |
id: "MESSAGE#862:713041/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} , IKE Initiator: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg316 = match({ | |
id: "MESSAGE#862:713041/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , IKE Initiator: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select77 = linear_select([ | |
msg313, | |
msg314, | |
msg315, | |
msg316, | |
]); | |
var msg317 = match({ | |
id: "MESSAGE#862:713041/3", | |
dissect: { | |
tokenizer: "Rekeying%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg318 = match({ | |
id: "MESSAGE#862:713041/3", | |
dissect: { | |
tokenizer: "New%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select78 = linear_select([ | |
msg317, | |
msg318, | |
]); | |
var msg319 = match({ | |
id: "MESSAGE#862:713041/3", | |
dissect: { | |
tokenizer: "%{->}Phase %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg320 = match({ | |
id: "MESSAGE#862:713041/5", | |
dissect: { | |
tokenizer: "1%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg321 = match({ | |
id: "MESSAGE#862:713041/5", | |
dissect: { | |
tokenizer: "2%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var select79 = linear_select([ | |
msg320, | |
msg321, | |
]); | |
var msg322 = match({ | |
id: "MESSAGE#862:713041/5", | |
dissect: { | |
tokenizer: "%{->}, Intf %{fld1->}, IKE Peer %{fld2->} %{info->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var all83 = all_match({ | |
processors: [ | |
dup44, | |
select77, | |
select78, | |
msg319, | |
select79, | |
msg322, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713041"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup232, | |
]), | |
}); | |
var msg323 = match({ | |
id: "MESSAGE#863:713041:01/0", | |
dissect: { | |
tokenizer: "IKE Initiator: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg324 = match({ | |
id: "MESSAGE#863:713041:01/2", | |
dissect: { | |
tokenizer: "Rekeying%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg325 = match({ | |
id: "MESSAGE#863:713041:01/2", | |
dissect: { | |
tokenizer: "New%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select80 = linear_select([ | |
msg324, | |
msg325, | |
]); | |
var msg326 = match({ | |
id: "MESSAGE#863:713041:01/2", | |
dissect: { | |
tokenizer: "%{->}Phase 2, Intf %{fld1->}, IKE Peer %{fld2->} %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all84 = all_match({ | |
processors: [ | |
msg323, | |
select80, | |
msg326, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713041:01"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup232, | |
]), | |
}); | |
var select81 = linear_select([ | |
all83, | |
all84, | |
]); | |
var msg327 = match({ | |
id: "MESSAGE#1107:718068", | |
dissect: { | |
tokenizer: "Start VPN Load Balancing in context %{context->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718068"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Start VPN Load Balancing"), | |
}), | |
]), | |
}); | |
var msg328 = match({ | |
id: "MESSAGE#1311:434002", | |
dissect: { | |
tokenizer: "SFR requested to drop %{protocol->} packet from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("434002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SFR requested to drop packet"), | |
}), | |
]), | |
}); | |
var msg329 = match({ | |
id: "MESSAGE#1231:737006", | |
dissect: { | |
tokenizer: "%{process->}: Local pool request succeeded for tunnel-group '%{info->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737006"), | |
}), | |
dup2, | |
dup3, | |
dup233, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg330 = match({ | |
id: "MESSAGE#1232:737006:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, Local pool request succeeded for tunnel-group '%{info->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737006:01"), | |
}), | |
dup2, | |
dup3, | |
dup233, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select82 = linear_select([ | |
msg329, | |
msg330, | |
]); | |
var msg331 = match({ | |
id: "MESSAGE#376:305009", | |
dissect: { | |
tokenizer: "Built %{context->} translation from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305009"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup234, | |
]), | |
}); | |
var msg332 = match({ | |
id: "MESSAGE#634:415003", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Peer-to-Peer detected - %{listnum->} %{protocol->} from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Peer-to-Peer detected"), | |
}), | |
]), | |
}); | |
var msg333 = match({ | |
id: "MESSAGE#726:603107/0", | |
dissect: { | |
tokenizer: "L2TP Tunnel deleted%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg334 = match({ | |
id: "MESSAGE#726:603107/2", | |
dissect: { | |
tokenizer: "%{->}tunnel_id = %{fld1->} remote_peer_ip =%{saddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all85 = all_match({ | |
processors: [ | |
msg333, | |
dup235, | |
msg334, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603107"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("L2TP tunnel deleted"), | |
}), | |
]), | |
}); | |
var msg335 = match({ | |
id: "MESSAGE#1158:722012/2", | |
dissect: { | |
tokenizer: "%{saddr->}> SVC Message: %{info->}/NOTICE: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg336 = match({ | |
id: "MESSAGE#1158:722012/3", | |
dissect: { | |
tokenizer: "%{event_description->}(%{fld1->}) ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg337 = match({ | |
id: "MESSAGE#1158:722012/3", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select83 = linear_select([ | |
msg336, | |
msg337, | |
]); | |
var all86 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg335, | |
select83, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722012"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg338 = match({ | |
id: "MESSAGE#152:109027/0", | |
dissect: { | |
tokenizer: "[%{protocol->}] Unable to dec%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg339 = match({ | |
id: "MESSAGE#152:109027/2", | |
dissect: { | |
tokenizer: "y%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select84 = linear_select([ | |
dup236, | |
msg339, | |
]); | |
var msg340 = match({ | |
id: "MESSAGE#152:109027/2", | |
dissect: { | |
tokenizer: "pher response message Server = %{hostip->}, User = %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all87 = all_match({ | |
processors: [ | |
msg338, | |
select84, | |
msg340, | |
dup237, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109027"), | |
}), | |
dup17, | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg341 = match({ | |
id: "MESSAGE#189:113012/0", | |
dissect: { | |
tokenizer: "AAA user authentication Successful : local database : user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all88 = all_match({ | |
processors: [ | |
msg341, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113012"), | |
}), | |
dup17, | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA user authentication successful"), | |
}), | |
]), | |
}); | |
var msg342 = match({ | |
id: "MESSAGE#595:406001", | |
dissect: { | |
tokenizer: "FTP port command low port: %{saddr->}/%{sport->} to %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup239, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("406001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup240, | |
]), | |
}); | |
var all89 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715059"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg343 = match({ | |
id: "MESSAGE#1032:715059:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715059:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select85 = linear_select([ | |
all89, | |
msg343, | |
]); | |
var all90 = all_match({ | |
processors: [ | |
dup9, | |
dup242, | |
dup243, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713024"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg344 = match({ | |
id: "MESSAGE#876:713073", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Responder forcing change of %{ike->} rekeying duration from %{fld1->} to %{fld2->} seconds", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713073"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg345 = match({ | |
id: "MESSAGE#1053:716039/0", | |
dissect: { | |
tokenizer: "Authentication: %{action->}, group = \u003c\u003c%{group->}> user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg346 = match({ | |
id: "MESSAGE#1053:716039/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP = \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg347 = match({ | |
id: "MESSAGE#1053:716039/2", | |
dissect: { | |
tokenizer: "'%{username->}' IP = \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg348 = match({ | |
id: "MESSAGE#1053:716039/2", | |
dissect: { | |
tokenizer: "%{username->} IP = \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select86 = linear_select([ | |
msg346, | |
msg347, | |
msg348, | |
]); | |
var msg349 = match({ | |
id: "MESSAGE#1053:716039/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{info->}) >, Session Type: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg350 = match({ | |
id: "MESSAGE#1053:716039/3", | |
dissect: { | |
tokenizer: "%{saddr->} >, Session Type: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select87 = linear_select([ | |
msg349, | |
msg350, | |
]); | |
var msg351 = match({ | |
id: "MESSAGE#1053:716039/3", | |
dissect: { | |
tokenizer: "%{network_service->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all91 = all_match({ | |
processors: [ | |
msg345, | |
select86, | |
select87, | |
msg351, | |
], | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716039"), | |
}), | |
dup18, | |
dup17, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg352 = match({ | |
id: "MESSAGE#1054:716039:01/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c %{group->}> User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg353 = match({ | |
id: "MESSAGE#1054:716039:01/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{info->}) > Authentication:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg354 = match({ | |
id: "MESSAGE#1054:716039:01/3", | |
dissect: { | |
tokenizer: "%{saddr->} > Authentication:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select88 = linear_select([ | |
msg353, | |
msg354, | |
]); | |
var msg355 = match({ | |
id: "MESSAGE#1054:716039:01/3", | |
dissect: { | |
tokenizer: "%{result->} Session Type: %{network_service->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all92 = all_match({ | |
processors: [ | |
msg352, | |
dup182, | |
select88, | |
msg355, | |
], | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716039:01"), | |
}), | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session connection rejected"), | |
}), | |
]), | |
}); | |
var select89 = linear_select([ | |
all91, | |
all92, | |
]); | |
var msg356 = match({ | |
id: "MESSAGE#363:305002", | |
dissect: { | |
tokenizer: "Translation built for gaddr %{hostip->} to laddr %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Translation built"), | |
}), | |
]), | |
}); | |
var msg357 = match({ | |
id: "MESSAGE#722:603103", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} - user: %{username->} aaa authentication %{disposition->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603103"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg358 = match({ | |
id: "MESSAGE#768:611312", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611312"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all93 = all_match({ | |
processors: [ | |
dup246, | |
dup247, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702204:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup248, | |
]), | |
}); | |
var all94 = all_match({ | |
processors: [ | |
dup246, | |
dup247, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702204"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup248, | |
]), | |
}); | |
var select90 = linear_select([ | |
all93, | |
all94, | |
]); | |
var msg359 = match({ | |
id: "MESSAGE#103:106101", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg360 = match({ | |
id: "MESSAGE#439:320001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("320001"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg361 = match({ | |
id: "MESSAGE#548:400051", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020205"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400051"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg362 = match({ | |
id: "MESSAGE#1182:724002", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{hostip->}> %{event_description->}. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("724002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg363 = match({ | |
id: "MESSAGE#514:400017", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400017"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg364 = match({ | |
id: "MESSAGE#644:415011", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP URL Length exceeded. Received %{priority->} byte URL - %{listnum->} URI length exceeded from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP URL Length exceeded"), | |
}), | |
]), | |
}); | |
var msg365 = match({ | |
id: "MESSAGE#786:614001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("614001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg366 = match({ | |
id: "MESSAGE#1187:725002/0", | |
dissect: { | |
tokenizer: "Device completed SSL handshake with %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg367 = match({ | |
id: "MESSAGE#1187:725002/3", | |
dissect: { | |
tokenizer: "%{fld1->}_%{fld2->}_%{saddr->}/%{sport->} to %{daddr->}/%{dport->} for %{version->} session ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg368 = match({ | |
id: "MESSAGE#1187:725002/3", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} for %{version->} session ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg369 = match({ | |
id: "MESSAGE#1187:725002/3", | |
dissect: { | |
tokenizer: "%{hostip->}/%{network_port->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select91 = linear_select([ | |
msg367, | |
msg368, | |
msg369, | |
]); | |
var all95 = all_match({ | |
processors: [ | |
msg366, | |
dup92, | |
dup249, | |
select91, | |
], | |
on_success: processor_chain([ | |
dup250, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725002"), | |
}), | |
dup11, | |
dup43, | |
dup40, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device completed SSL handshake"), | |
}), | |
]), | |
}); | |
var msg370 = match({ | |
id: "MESSAGE#219:201004:01/0", | |
dissect: { | |
tokenizer: "Too many %{protocol->} connections on %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg371 = match({ | |
id: "MESSAGE#219:201004:01/2", | |
dissect: { | |
tokenizer: "%{->} %{hostip->}! %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all96 = all_match({ | |
processors: [ | |
msg370, | |
dup251, | |
msg371, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201004:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg372 = match({ | |
id: "MESSAGE#220:201004", | |
dissect: { | |
tokenizer: "Too many embryonic connections on STRING %{hostip->} %{fld1->}/%{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select92 = linear_select([ | |
all96, | |
msg372, | |
]); | |
var msg373 = match({ | |
id: "MESSAGE#415:315003/0", | |
dissect: { | |
tokenizer: "SSH login session failed from %{saddr->} on (%{fld1->} attempts) on interface %{interface->} by user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all97 = all_match({ | |
processors: [ | |
msg373, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup252, | |
]), | |
}); | |
var msg374 = match({ | |
id: "MESSAGE#416:315003:01/0", | |
dissect: { | |
tokenizer: "SSH login session failed from %{saddr->}(%{fld1->} attempts) on interface %{interface->} by user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all98 = all_match({ | |
processors: [ | |
msg374, | |
dup187, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315003:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup252, | |
]), | |
}); | |
var select93 = linear_select([ | |
all97, | |
all98, | |
]); | |
var msg375 = match({ | |
id: "MESSAGE#449:323001", | |
dissect: { | |
tokenizer: "Module in slot %{fld1->} experienced a control channel communication failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("323001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg376 = match({ | |
id: "MESSAGE#453:324000/0", | |
dissect: { | |
tokenizer: "Drop GTP%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg377 = match({ | |
id: "MESSAGE#453:324000/2", | |
dissect: { | |
tokenizer: "v%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select94 = linear_select([ | |
msg377, | |
]); | |
var msg378 = match({ | |
id: "MESSAGE#453:324000/2", | |
dissect: { | |
tokenizer: "%{->} %{misc->} message %{fld1->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} Reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all99 = all_match({ | |
processors: [ | |
msg376, | |
select94, | |
msg378, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324000"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Drop GTPv"), | |
}), | |
]), | |
}); | |
var msg379 = match({ | |
id: "MESSAGE#1273:752010", | |
dissect: { | |
tokenizer: "IKEv2 Doesn't have a proposal specified%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752010"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg380 = match({ | |
id: "MESSAGE#1310:747016", | |
dissect: { | |
tokenizer: "Clustering: Found a split cluster with both %{fld1->} and %{fld2->} as master units. Master role retained by %{fld3->}, %{fld4->} will leave then join as a slave", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("747016"), | |
}), | |
dup2, | |
dup3, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Found a split cluster"), | |
}), | |
]), | |
}); | |
var msg381 = match({ | |
id: "MESSAGE#754:611102/0", | |
dissect: { | |
tokenizer: "User authentication failed: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all100 = all_match({ | |
processors: [ | |
msg381, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611102"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup253, | |
]), | |
}); | |
var msg382 = match({ | |
id: "MESSAGE#1299:611102:01/0", | |
dissect: { | |
tokenizer: "User authentication failed: IP address: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg383 = match({ | |
id: "MESSAGE#1299:611102:01/1", | |
dissect: { | |
tokenizer: "%{saddr->}, Uname: %{username->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg384 = match({ | |
id: "MESSAGE#1299:611102:01/1", | |
dissect: { | |
tokenizer: "%{saddr->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select95 = linear_select([ | |
msg383, | |
msg384, | |
]); | |
var all101 = all_match({ | |
processors: [ | |
msg382, | |
select95, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611102:01"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup253, | |
]), | |
}); | |
var select96 = linear_select([ | |
all100, | |
all101, | |
]); | |
var msg385 = match({ | |
id: "MESSAGE#1198:725010/0", | |
dissect: { | |
tokenizer: "Device supports the following %{fld1->} cipher(s)%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all102 = all_match({ | |
processors: [ | |
msg385, | |
dup254, | |
dup255, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg386 = match({ | |
id: "MESSAGE#119:108005:01", | |
dissect: { | |
tokenizer: "Out of SMTP connections! %{saddr->}/%{sport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108005:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Out of SMTP connections"), | |
}), | |
]), | |
}); | |
var msg387 = match({ | |
id: "MESSAGE#120:108005", | |
dissect: { | |
tokenizer: "%{network_service->}: Received ESMTP Request from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}; %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESMTP request"), | |
}), | |
]), | |
}); | |
var select97 = linear_select([ | |
msg386, | |
msg387, | |
]); | |
var msg388 = match({ | |
id: "MESSAGE#432:318005", | |
dissect: { | |
tokenizer: "lsid %{fld1->} adv %{fld2->} type %{fld3->} gateway %{fld4->} metric %{fld5->} network %{fld6->} mask %{fld7->} protocol %{protocol->} attr %{fld8->} net-metric %{fld9->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg389 = match({ | |
id: "MESSAGE#546:400049", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup74, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400049"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg390 = match({ | |
id: "MESSAGE#649:418001:02", | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: icmp src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("418001:02"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup257, | |
dup258, | |
dup259, | |
]), | |
}); | |
var msg391 = match({ | |
id: "MESSAGE#650:418001:03", | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("418001:03"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup257, | |
dup258, | |
]), | |
}); | |
var msg392 = match({ | |
id: "MESSAGE#651:418001:01/0", | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: %{protocol->} src %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg393 = match({ | |
id: "MESSAGE#651:418001:01/2", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{saddr->}/%{sport->} (%{domain->}\\%{username->}) dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg394 = match({ | |
id: "MESSAGE#651:418001:01/2", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{saddr->}/%{sport->} dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select98 = linear_select([ | |
msg393, | |
msg394, | |
]); | |
var all103 = all_match({ | |
processors: [ | |
msg392, | |
select98, | |
dup260, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("418001:01"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup261, | |
dup258, | |
]), | |
}); | |
var msg395 = match({ | |
id: "MESSAGE#652:418001", | |
dissect: { | |
tokenizer: "Through-the-device packet to/from management-only network is denied: %{protocol->} from %{sinterface->} %{saddr->} (%{sport->}) to %{dinterface->} %{daddr->} (%{dport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("418001"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup261, | |
dup258, | |
]), | |
}); | |
var select99 = linear_select([ | |
msg390, | |
msg391, | |
all103, | |
msg395, | |
]); | |
var msg396 = match({ | |
id: "MESSAGE#64:106007", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{protocol->} from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} due to DNS %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106007"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg397 = match({ | |
id: "MESSAGE#392:307002", | |
dissect: { | |
tokenizer: "%{result->} session from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg398 = match({ | |
id: "MESSAGE#417:315004/0", | |
dissect: { | |
tokenizer: "Fail to establish SSH session because%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg399 = match({ | |
id: "MESSAGE#417:315004/1", | |
dissect: { | |
tokenizer: "%{->}PIX RSA host key retrieval failed.", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg400 = match({ | |
id: "MESSAGE#417:315004/1", | |
dissect: { | |
tokenizer: "%{space->}RSA host key retrieval failed.", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select100 = linear_select([ | |
msg399, | |
msg400, | |
]); | |
var all104 = all_match({ | |
processors: [ | |
msg398, | |
select100, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg401 = match({ | |
id: "MESSAGE#1006:715034", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715034"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg402 = match({ | |
id: "MESSAGE#174:111010/2", | |
dissect: { | |
tokenizer: "'%{username->}' , running '%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg403 = match({ | |
id: "MESSAGE#174:111010/2", | |
dissect: { | |
tokenizer: "%{username->} , running '%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select101 = linear_select([ | |
msg402, | |
msg403, | |
]); | |
var msg404 = match({ | |
id: "MESSAGE#174:111010/2", | |
dissect: { | |
tokenizer: "%{fld1->}' from IP %{saddr->}, executed '%{action->}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all105 = all_match({ | |
processors: [ | |
dup262, | |
select101, | |
msg404, | |
], | |
on_success: processor_chain([ | |
dup263, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User executed cmd"), | |
}), | |
]), | |
}); | |
var msg405 = match({ | |
id: "MESSAGE#682:502103/0", | |
dissect: { | |
tokenizer: "User priv level changed: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg406 = match({ | |
id: "MESSAGE#682:502103/2", | |
dissect: { | |
tokenizer: "'%{username->}' From: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg407 = match({ | |
id: "MESSAGE#682:502103/2", | |
dissect: { | |
tokenizer: "%{username->} From: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select102 = linear_select([ | |
msg406, | |
msg407, | |
]); | |
var msg408 = match({ | |
id: "MESSAGE#682:502103/2", | |
dissect: { | |
tokenizer: "%{fld1->} To: %{fld2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all106 = all_match({ | |
processors: [ | |
msg405, | |
select102, | |
msg408, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020300"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502103"), | |
}), | |
dup17, | |
dup13, | |
dup217, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User priv level change"), | |
}), | |
]), | |
}); | |
var msg409 = match({ | |
id: "MESSAGE#1313:199015", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{saddr->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup264, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199015"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg410 = match({ | |
id: "MESSAGE#47:105038", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105038"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg411 = match({ | |
id: "MESSAGE#486:338204/2", | |
dissect: { | |
tokenizer: "ilter dropped greylisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all107 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg411, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338204"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg412 = match({ | |
id: "MESSAGE#732:604104", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("604104"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg413 = match({ | |
id: "MESSAGE#1243:737017/2", | |
dissect: { | |
tokenizer: "%{->}DHCP request attempt %{dclass_counter1->} succeeded", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all108 = all_match({ | |
processors: [ | |
dup53, | |
dup265, | |
msg413, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737017"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DHCP request attempt succeeded"), | |
}), | |
]), | |
}); | |
var msg414 = match({ | |
id: "MESSAGE#575:403107", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} missing aaa server group info", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403107"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg415 = match({ | |
id: "MESSAGE#625:411005/2", | |
dissect: { | |
tokenizer: "nterface %{interface->} experienced a hardware transmit hang. %{result->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all109 = all_match({ | |
processors: [ | |
dup44, | |
dup266, | |
msg415, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.misc", | |
value: constant("Interface experienced a hardware transmit hang"), | |
}), | |
]), | |
}); | |
var msg416 = match({ | |
id: "MESSAGE#907:713145", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, Detected Hardware Client in network extension mode, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713145"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Detected Hardware Client in network extension mode"), | |
}), | |
]), | |
}); | |
var msg417 = match({ | |
id: "MESSAGE#1269:751014", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} %{severity->} Configuration Payload request for attribute %{obj_name->} could not be processed. Error: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("751014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Configuration Payload request for attribute could not be processed"), | |
}), | |
]), | |
}); | |
var msg418 = match({ | |
id: "MESSAGE#426:317004", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("317004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg419 = match({ | |
id: "MESSAGE#1163:722027/4", | |
dissect: { | |
tokenizer: "SVC decompression history reset%{->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all110 = all_match({ | |
processors: [ | |
dup77, | |
dup182, | |
dup267, | |
dup268, | |
msg419, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722027"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg420 = match({ | |
id: "MESSAGE#761:611305", | |
dissect: { | |
tokenizer: "VPNClient: DHCP Policy installed:%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611305"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup269, | |
]), | |
}); | |
var msg421 = match({ | |
id: "MESSAGE#1225:735011", | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1->}: Fan OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735011"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply Fan OK"), | |
}), | |
]), | |
}); | |
var msg422 = match({ | |
id: "MESSAGE#1285:746014", | |
dissect: { | |
tokenizer: "user-identity: [FQDN] %{domain->} address %{hostip->} obsolete", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746014"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg423 = match({ | |
id: "MESSAGE#836:709003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709003"), | |
}), | |
dup38, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg424 = match({ | |
id: "MESSAGE#895:713129", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->} payload type: %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713129"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg425 = match({ | |
id: "MESSAGE#1161:722023/4", | |
dissect: { | |
tokenizer: "SVC connection terminated with%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg426 = match({ | |
id: "MESSAGE#1161:722023/6", | |
dissect: { | |
tokenizer: "%{->}compression", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all111 = all_match({ | |
processors: [ | |
dup77, | |
dup182, | |
dup267, | |
dup268, | |
msg425, | |
dup270, | |
msg426, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722023"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg427 = match({ | |
id: "MESSAGE#1214:734001/2", | |
dissect: { | |
tokenizer: "%{hostip->}, %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all112 = all_match({ | |
processors: [ | |
dup211, | |
dup212, | |
msg427, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg428 = match({ | |
id: "MESSAGE#254:212001", | |
dissect: { | |
tokenizer: "Unable to open %{protocol->} channel (UDP port %{network_port->}) on interface %{interface->}, error code = %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg429 = match({ | |
id: "MESSAGE#787:614002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("614002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg430 = match({ | |
id: "MESSAGE#847:710006", | |
dissect: { | |
tokenizer: "%{protocol->} request discarded from %{saddr->} to %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710006"), | |
}), | |
dup42, | |
dup43, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup271, | |
]), | |
}); | |
var msg431 = match({ | |
id: "MESSAGE#1039:715068", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715068"), | |
}), | |
dup7, | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg432 = match({ | |
id: "MESSAGE#2:101003", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("101003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg433 = match({ | |
id: "MESSAGE#142:109018/1", | |
dissect: { | |
tokenizer: "'%{listnum->}' is empty", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg434 = match({ | |
id: "MESSAGE#142:109018/1", | |
dissect: { | |
tokenizer: "%{listnum->} is empty", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select103 = linear_select([ | |
msg433, | |
msg434, | |
]); | |
var all113 = all_match({ | |
processors: [ | |
dup96, | |
select103, | |
], | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109018"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("ACL is empty"), | |
}), | |
]), | |
}); | |
var msg435 = match({ | |
id: "MESSAGE#695:505006", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup272, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all114 = all_match({ | |
processors: [ | |
dup79, | |
dup273, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715021"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg436 = match({ | |
id: "MESSAGE#96:106027/0", | |
dissect: { | |
tokenizer: "Deny %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} by access-group %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all115 = all_match({ | |
processors: [ | |
msg436, | |
dup274, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106027"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup275, | |
dup27, | |
]), | |
}); | |
var msg437 = match({ | |
id: "MESSAGE#385:305013/0", | |
dissect: { | |
tokenizer: "%{result->}; Connection for %{protocol->} src %{sinterface->}:%{saddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select104 = linear_select([ | |
dup276, | |
dup277, | |
]); | |
var msg438 = match({ | |
id: "MESSAGE#385:305013/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->} denied due to NAT reverse path failure", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all116 = all_match({ | |
processors: [ | |
msg437, | |
select104, | |
msg438, | |
], | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305013"), | |
}), | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
dup278, | |
]), | |
}); | |
var msg439 = match({ | |
id: "MESSAGE#386:305013:01", | |
dissect: { | |
tokenizer: "%{result->}; Connection for %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->}) denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305013:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
dup278, | |
]), | |
}); | |
var msg440 = match({ | |
id: "MESSAGE#388:305013:02", | |
dissect: { | |
tokenizer: "%{result->}; Connection for protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} denied due to NAT reverse path failure", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305013:02"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
dup278, | |
]), | |
}); | |
var select105 = linear_select([ | |
all116, | |
msg439, | |
msg440, | |
]); | |
var msg441 = match({ | |
id: "MESSAGE#796:617004", | |
dissect: { | |
tokenizer: "GTP connection created for response from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617004"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTP connection created"), | |
}), | |
]), | |
}); | |
var msg442 = match({ | |
id: "MESSAGE#905:713141", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713141"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg443 = match({ | |
id: "MESSAGE#552:401004/2", | |
dissect: { | |
tokenizer: "%{->}packet: %{saddr->} ==> %{daddr->} on interface %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all117 = all_match({ | |
processors: [ | |
dup162, | |
dup279, | |
msg443, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401004"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Packet dropped"), | |
}), | |
]), | |
}); | |
var msg444 = match({ | |
id: "MESSAGE#569:402130", | |
dissect: { | |
tokenizer: "CRYPTO: Received an ESP packet (SPI = %{dst_spi->}, sequence number= %{fld2->}) from %{saddr->} (user= %{username->}) to %{daddr->} with incorrect IPsec padding. (padding: %{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402130"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Received an ESP packet with incorrect IPsec padding"), | |
}), | |
]), | |
}); | |
var msg445 = match({ | |
id: "MESSAGE#944:713235/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{event_description->}. %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all118 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg445, | |
], | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713235"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg446 = match({ | |
id: "MESSAGE#945:713235:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->}. %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713235:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select106 = linear_select([ | |
all118, | |
msg446, | |
]); | |
var msg447 = match({ | |
id: "MESSAGE#1141:720055", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720055"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg448 = match({ | |
id: "MESSAGE#349:303004", | |
dissect: { | |
tokenizer: "FTP %{action->} command unsupported - failed strict inspection, %{result->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("FTP command unsupported - failed strict inspection"), | |
}), | |
]), | |
}); | |
var msg449 = match({ | |
id: "MESSAGE#1082:717036", | |
dissect: { | |
tokenizer: "Looking for a tunnel group match based on certificate maps for peer certificate with serial number: %{serial_number->}, subject name: %{cert_subject->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717036"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all119 = all_match({ | |
processors: [ | |
dup44, | |
dup280, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714011"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg450 = match({ | |
id: "MESSAGE#990:714011:01/0", | |
dissect: { | |
tokenizer: "%{->}ID_IPV4_ADDR%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg451 = match({ | |
id: "MESSAGE#990:714011:01/2", | |
dissect: { | |
tokenizer: "_SUBNET%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select107 = linear_select([ | |
msg451, | |
]); | |
var msg452 = match({ | |
id: "MESSAGE#990:714011:01/2", | |
dissect: { | |
tokenizer: "%{->}ID %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all120 = all_match({ | |
processors: [ | |
msg450, | |
select107, | |
msg452, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714011:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select108 = linear_select([ | |
all119, | |
all120, | |
]); | |
var msg453 = match({ | |
id: "MESSAGE#302:302014:03/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{duration->} bytes %{bytes->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg454 = match({ | |
id: "MESSAGE#302:302014:03/3", | |
dissect: { | |
tokenizer: "\u003c\u003c%{result->}> (%{username->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg455 = match({ | |
id: "MESSAGE#302:302014:03/3", | |
dissect: { | |
tokenizer: "%{result->} (%{username->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg456 = match({ | |
id: "MESSAGE#302:302014:03/3", | |
dissect: { | |
tokenizer: "(%{result->}) ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select109 = linear_select([ | |
msg454, | |
msg455, | |
msg456, | |
dup281, | |
]); | |
var all121 = all_match({ | |
processors: [ | |
dup146, | |
dup147, | |
msg453, | |
select109, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg457 = match({ | |
id: "MESSAGE#303:302014:02/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{duration->} bytes %{bytes->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg458 = match({ | |
id: "MESSAGE#303:302014:02/1", | |
dissect: { | |
tokenizer: "%{->} %{result->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select110 = linear_select([ | |
dup282, | |
msg458, | |
]); | |
var all122 = all_match({ | |
processors: [ | |
msg457, | |
select110, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg459 = match({ | |
id: "MESSAGE#304:302014:04/2", | |
dissect: { | |
tokenizer: "%{->} %{saddr->}/%{sport->}(%{fld3->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg460 = match({ | |
id: "MESSAGE#304:302014:04/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select111 = linear_select([ | |
dup283, | |
msg459, | |
msg460, | |
]); | |
var msg461 = match({ | |
id: "MESSAGE#304:302014:04/2", | |
dissect: { | |
tokenizer: "%{->} %{dinterface->}:%{daddr->}/%{dport->}(%{fld20->}) duration %{duration->} bytes %{bytes->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all123 = all_match({ | |
processors: [ | |
dup146, | |
select111, | |
msg461, | |
dup284, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:04"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg462 = match({ | |
id: "MESSAGE#305:302014:05/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->}(%{fld3->}) to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg463 = match({ | |
id: "MESSAGE#305:302014:05/1", | |
dissect: { | |
tokenizer: "%{info->} (%{username->})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg464 = match({ | |
id: "MESSAGE#305:302014:05/1", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select112 = linear_select([ | |
msg463, | |
msg464, | |
]); | |
var all124 = all_match({ | |
processors: [ | |
msg462, | |
select112, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:05"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var select113 = linear_select([ | |
dup283, | |
dup156, | |
]); | |
var msg465 = match({ | |
id: "MESSAGE#306:302014/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all125 = all_match({ | |
processors: [ | |
dup146, | |
select113, | |
msg465, | |
dup284, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var msg466 = match({ | |
id: "MESSAGE#307:302014:01/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select114 = linear_select([ | |
dup282, | |
dup285, | |
]); | |
var all126 = all_match({ | |
processors: [ | |
msg466, | |
select114, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302014:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup148, | |
dup149, | |
]), | |
}); | |
var select115 = linear_select([ | |
all121, | |
all122, | |
all123, | |
all124, | |
all125, | |
all126, | |
]); | |
var msg467 = match({ | |
id: "MESSAGE#760:611304", | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with split tunneling: Split Tunnel Networks:%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611304"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup286, | |
]), | |
}); | |
var all127 = all_match({ | |
processors: [ | |
dup287, | |
dup89, | |
dup288, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702211:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup289, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all128 = all_match({ | |
processors: [ | |
dup287, | |
dup89, | |
dup290, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702211"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup289, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select116 = linear_select([ | |
all127, | |
all128, | |
]); | |
var msg468 = match({ | |
id: "MESSAGE#849:711001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("711001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg469 = match({ | |
id: "MESSAGE#12:120008", | |
dissect: { | |
tokenizer: "Call-Home client %{action->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120008"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home client activity"), | |
}), | |
]), | |
}); | |
var msg470 = match({ | |
id: "MESSAGE#236:209001", | |
dissect: { | |
tokenizer: "IPFRAG: Unable to allocate frag record for %{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("209001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate frag record"), | |
}), | |
]), | |
}); | |
var msg471 = match({ | |
id: "MESSAGE#659:420004", | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys->} was added on the %{product->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("420004"), | |
}), | |
dup164, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Virtual Sensor added"), | |
}), | |
]), | |
}); | |
var msg472 = match({ | |
id: "MESSAGE#580:403501", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403501"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg473 = match({ | |
id: "MESSAGE#1095:718033", | |
dissect: { | |
tokenizer: "Send TOPOLOGY indicator failure to [%{daddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718033"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent TOPOLOGY indicator failure"), | |
}), | |
]), | |
}); | |
var msg474 = match({ | |
id: "MESSAGE#123:109002/0", | |
dissect: { | |
tokenizer: "%{->}Auth %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg475 = match({ | |
id: "MESSAGE#123:109002/2", | |
dissect: { | |
tokenizer: "from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} failed (server %{hostip->} failed) on interface %{sinterface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all129 = all_match({ | |
processors: [ | |
msg474, | |
dup254, | |
msg475, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109002"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup291, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("server failed"), | |
}), | |
]), | |
}); | |
var msg476 = match({ | |
id: "MESSAGE#239:209004", | |
dissect: { | |
tokenizer: "Invalid IP fragment, size = %{icmptype->} exceeds maximum size = %{icmpcode->}: %{space->} src = %{saddr->}, dest = %{daddr->}, proto = %{protocol->}, id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("209004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid IP fragment"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("size exceeded"), | |
}), | |
]), | |
}); | |
var msg477 = match({ | |
id: "MESSAGE#421:316001", | |
dissect: { | |
tokenizer: "Denied new tunnel to %{saddr->} VPN peer limit (%{fld1->}) exceeded.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("316001"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied new VPN tunnel"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("VPN peer limit exceeded"), | |
}), | |
]), | |
}); | |
var msg478 = match({ | |
id: "MESSAGE#422:316001:01/0", | |
dissect: { | |
tokenizer: "Cannot %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg479 = match({ | |
id: "MESSAGE#422:316001:01/2", | |
dissect: { | |
tokenizer: "%{->}create%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg480 = match({ | |
id: "MESSAGE#422:316001:01/2", | |
dissect: { | |
tokenizer: "creat%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select117 = linear_select([ | |
msg479, | |
msg480, | |
]); | |
var msg481 = match({ | |
id: "MESSAGE#422:316001:01/2", | |
dissect: { | |
tokenizer: "%{->}more isakmp peers, exceeding the limit of %{fld1->} peers", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all130 = all_match({ | |
processors: [ | |
msg478, | |
select117, | |
msg481, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("316001:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("cannot create isakmp peers"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("peer limit exceeded"), | |
}), | |
]), | |
}); | |
var select118 = linear_select([ | |
msg477, | |
all130, | |
]); | |
var msg482 = match({ | |
id: "MESSAGE#494:338308", | |
dissect: { | |
tokenizer: "Dynamic filter updater server dynamically changed from %{change_old->} to %{change_new->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338308"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic filter updater server dynamically changed"), | |
}), | |
]), | |
}); | |
var msg483 = match({ | |
id: "MESSAGE#1078:717028", | |
dissect: { | |
tokenizer: "Certificate chain was successfully validated %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup292, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717028"), | |
}), | |
dup293, | |
dup38, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Certificate chain successfully validated"), | |
}), | |
]), | |
}); | |
var msg484 = match({ | |
id: "MESSAGE#77:106013:01", | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr->} to PAT address %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106013:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup294, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg485 = match({ | |
id: "MESSAGE#78:106013", | |
dissect: { | |
tokenizer: "Dropping echo request from %{saddr->} to address %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106013"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup294, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select119 = linear_select([ | |
msg484, | |
msg485, | |
]); | |
var msg486 = match({ | |
id: "MESSAGE#382:305012:02", | |
dissect: { | |
tokenizer: "Teardown %{context->} %{protocol->} translation from %{sinterface->}:%{saddr->}/%{sport->}(%{fld51->}) to %{dinterface->}(%{fld52->}):%{daddr->}/%{dport->} duration %{duration->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305012:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var msg487 = match({ | |
id: "MESSAGE#383:305012/0", | |
dissect: { | |
tokenizer: "Teardown %{context->} %{protocol->} translation from %{sinterface->}:%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg488 = match({ | |
id: "MESSAGE#383:305012/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->} duration %{duration->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all131 = all_match({ | |
processors: [ | |
msg487, | |
dup296, | |
msg488, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305012"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var msg489 = match({ | |
id: "MESSAGE#384:305012:01/0", | |
dissect: { | |
tokenizer: "Teardown %{context->} %{protocol->} translation from %{sinterface->}:%{saddr->}/%{sport->} to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg490 = match({ | |
id: "MESSAGE#384:305012:01/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} duration %{duration->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all132 = all_match({ | |
processors: [ | |
msg489, | |
dup297, | |
msg490, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305012:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var select120 = linear_select([ | |
msg486, | |
all131, | |
all132, | |
]); | |
var msg491 = match({ | |
id: "MESSAGE#401:311001", | |
dissect: { | |
tokenizer: "LU loading standby start%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("311001"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU loading standby start"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg492 = match({ | |
id: "MESSAGE#455:324002", | |
dissect: { | |
tokenizer: "No %{fld1->} exists to process GTPv0 %{fld2->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, TID: %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("nonexistent resource to process GTP request"), | |
}), | |
]), | |
}); | |
var msg493 = match({ | |
id: "MESSAGE#95:106025", | |
dissect: { | |
tokenizer: "%{event_description->}: %{interface->} %{protocol->} src %{saddr->}/%{sport->} dest %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106025"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg494 = match({ | |
id: "MESSAGE#629:413003/0", | |
dissect: { | |
tokenizer: "Module in slot %{fld1->} is not a recognized type%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select121 = linear_select([ | |
dup298, | |
]); | |
var all133 = all_match({ | |
processors: [ | |
msg494, | |
select121, | |
dup223, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("413003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg495 = match({ | |
id: "MESSAGE#1115:720006", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720006"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg496 = match({ | |
id: "MESSAGE#1246:737026", | |
dissect: { | |
tokenizer: "%{process->}: Client assigned %{hostip->} from local pool", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737026"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg497 = match({ | |
id: "MESSAGE#1247:737026:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, Client assigned %{hostip->} from local pool", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737026:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select122 = linear_select([ | |
msg496, | |
msg497, | |
]); | |
var msg498 = match({ | |
id: "MESSAGE#626:412001", | |
dissect: { | |
tokenizer: "MAC %{interface->} moved from %{src_zone->} to %{dst_zone->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("412001"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup40, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg499 = match({ | |
id: "MESSAGE#656:420002:01", | |
dissect: { | |
tokenizer: "IPS requested to drop %{protocol->} packets %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("420002:01"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup299, | |
]), | |
}); | |
var msg500 = match({ | |
id: "MESSAGE#657:420002", | |
dissect: { | |
tokenizer: "%{service->} requested to drop %{protocol->} packet from %{sinterface->}:%{saddr->}/%{sport->} %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("420002"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup299, | |
]), | |
}); | |
var select123 = linear_select([ | |
msg499, | |
msg500, | |
]); | |
var msg501 = match({ | |
id: "MESSAGE#676:500003", | |
dissect: { | |
tokenizer: "Bad %{protocol->} hdr length (hdrlen=%{fld1->}, pktlen=%{fld2->}) from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}, flags: %{fld3->}, on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("500003"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Bad hdr length"), | |
}), | |
]), | |
}); | |
var all134 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup300, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713035"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg502 = match({ | |
id: "MESSAGE#861:713035:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{action->}:%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713035:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select124 = linear_select([ | |
all134, | |
msg502, | |
]); | |
var msg503 = match({ | |
id: "MESSAGE#162:110003:01/0", | |
dissect: { | |
tokenizer: "Routing failed to locate %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg504 = match({ | |
id: "MESSAGE#162:110003:01/2", | |
dissect: { | |
tokenizer: "next-hop %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg505 = match({ | |
id: "MESSAGE#162:110003:01/2", | |
dissect: { | |
tokenizer: "%{->}next hop%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select125 = linear_select([ | |
msg504, | |
msg505, | |
]); | |
var msg506 = match({ | |
id: "MESSAGE#162:110003:01/2", | |
dissect: { | |
tokenizer: "%{->}for %{protocol->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all135 = all_match({ | |
processors: [ | |
msg503, | |
select125, | |
msg506, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110003:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: dup301, | |
}), | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup301, | |
}), | |
]), | |
}); | |
var msg507 = match({ | |
id: "MESSAGE#163:110003:02", | |
dissect: { | |
tokenizer: "No interface is configured (with %{interface->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110003:02"), | |
}), | |
dup14, | |
dup2, | |
dup4, | |
dup5, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No interface configured"), | |
}), | |
]), | |
}); | |
var msg508 = match({ | |
id: "MESSAGE#164:110003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("110003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select126 = linear_select([ | |
all135, | |
msg507, | |
msg508, | |
]); | |
var msg509 = match({ | |
id: "MESSAGE#308:302015:05", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->})(%{domain->}\\%{fld3->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})(%{fld4->}) (%{username->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:05"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var msg510 = match({ | |
id: "MESSAGE#309:302015/2", | |
dissect: { | |
tokenizer: "%{->}to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->} )%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg511 = match({ | |
id: "MESSAGE#309:302015/3", | |
dissect: { | |
tokenizer: "%{->}'%{username->}' ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg512 = match({ | |
id: "MESSAGE#309:302015/3", | |
dissect: { | |
tokenizer: "%{->}(%{username->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select127 = linear_select([ | |
msg511, | |
msg512, | |
]); | |
var all136 = all_match({ | |
processors: [ | |
dup219, | |
dup220, | |
msg510, | |
select127, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
dup193, | |
]), | |
}); | |
var all137 = all_match({ | |
processors: [ | |
dup221, | |
dup222, | |
dup223, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:01"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
dup193, | |
]), | |
}); | |
var msg513 = match({ | |
id: "MESSAGE#311:302015:03/0", | |
dissect: { | |
tokenizer: "Built %{fld1->} %{protocol->} connection %{connectionid->} for %{dinterface->}:%{daddr->}/%{dport->} (%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg514 = match({ | |
id: "MESSAGE#311:302015:03/2", | |
dissect: { | |
tokenizer: "%{dtransaddr->}/%{dtransport->})(%{fld3->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select128 = linear_select([ | |
dup225, | |
msg514, | |
dup226, | |
]); | |
var all138 = all_match({ | |
processors: [ | |
msg513, | |
select128, | |
dup227, | |
dup228, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:03"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.direction", | |
value: field("fld1"), | |
}), | |
dup193, | |
]), | |
}); | |
var msg515 = match({ | |
id: "MESSAGE#312:302015:04", | |
dissect: { | |
tokenizer: "Built %{protocol->} connection %{connectionid->} for %{sinterface->} %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} %{dinterface->} %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302015:04"), | |
}), | |
dup64, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var select129 = linear_select([ | |
msg509, | |
all136, | |
all137, | |
all138, | |
msg515, | |
]); | |
var msg516 = match({ | |
id: "MESSAGE#527:400030", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400030"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg517 = match({ | |
id: "MESSAGE#592:405103", | |
dissect: { | |
tokenizer: "H225 message from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} contains bad protocol discriminator %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405103"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("H225 message contains bad protocol discriminator"), | |
}), | |
]), | |
}); | |
var msg518 = match({ | |
id: "MESSAGE#1034:715061", | |
dissect: { | |
tokenizer: "Group = %{group->} IP = %{saddr->}, %{action->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715061"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg519 = match({ | |
id: "MESSAGE#1208:730010", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> VLAN Mapping is enabled on VLAN \u003c\u003c%{instance->}>", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("730010"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("VLAN Mapping is enabled on VLAN"), | |
}), | |
]), | |
}); | |
var msg520 = match({ | |
id: "MESSAGE#27:105002", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup59, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105002"), | |
}), | |
dup60, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg521 = match({ | |
id: "MESSAGE#461:325001", | |
dissect: { | |
tokenizer: "Router %{hostip_v6->} on %{interface->} has conflicting ND (Neighbor Discovery) settings", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup229, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("325001"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg522 = match({ | |
id: "MESSAGE#1013:715040", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715040"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg523 = match({ | |
id: "MESSAGE#1025:715053/2", | |
dissect: { | |
tokenizer: "%{saddr->}, MODE_CFG: %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all139 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg523, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715053"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg524 = match({ | |
id: "MESSAGE#1026:715053:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, MODE_CFG: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715053:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select130 = linear_select([ | |
all139, | |
msg524, | |
]); | |
var msg525 = match({ | |
id: "MESSAGE#1307:776252", | |
dissect: { | |
tokenizer: "CTS SGT-MAP: Binding %{saddr->}/%{sport->}->%{fld1->}:%{group->} from %{fld2->} deleted from binding manager.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("776252"), | |
}), | |
dup14, | |
dup3, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("deleted to binding manager"), | |
}), | |
]), | |
}); | |
var msg526 = match({ | |
id: "MESSAGE#7:103002:01", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup302, | |
]), | |
}); | |
var msg527 = match({ | |
id: "MESSAGE#8:103002", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->} OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.disposition", | |
value: constant("OK"), | |
}), | |
]), | |
}); | |
var select131 = linear_select([ | |
msg526, | |
msg527, | |
]); | |
var msg528 = match({ | |
id: "MESSAGE#184:113008/0", | |
dissect: { | |
tokenizer: "AAA transaction status %{disposition->} : user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all140 = all_match({ | |
processors: [ | |
msg528, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113008"), | |
}), | |
dup17, | |
dup65, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg529 = match({ | |
id: "MESSAGE#374:305007", | |
dissect: { | |
tokenizer: "%{fld1->}(): Orphan IP %{hostip->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Orphan IP detected on interface"), | |
}), | |
]), | |
}); | |
var msg530 = match({ | |
id: "MESSAGE#505:400008", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all141 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713132"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg531 = match({ | |
id: "MESSAGE#364:305003", | |
dissect: { | |
tokenizer: "Teardown translation for global %{hostip->} local %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var msg532 = match({ | |
id: "MESSAGE#365:305003:01", | |
dissect: { | |
tokenizer: "Teardown translation for %{hostip->} %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305003:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var select132 = linear_select([ | |
msg531, | |
msg532, | |
]); | |
var msg533 = match({ | |
id: "MESSAGE#481:338103/2", | |
dissect: { | |
tokenizer: "ilter %{action->} whitelisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{hostip->} resolved from %{listnum->} list:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all142 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg533, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338103"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg534 = match({ | |
id: "MESSAGE#767:611311", | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Failed: Peer: %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611311"), | |
}), | |
dup7, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("XAUTH failed"), | |
}), | |
]), | |
}); | |
var msg535 = match({ | |
id: "MESSAGE#833:703002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("703002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg536 = match({ | |
id: "MESSAGE#1100:718046", | |
dissect: { | |
tokenizer: "Create group policy [%{policyname->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718046"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Create group policy"), | |
}), | |
]), | |
}); | |
var msg537 = match({ | |
id: "MESSAGE#264:214001", | |
dissect: { | |
tokenizer: "Terminating manager session from %{saddr->} on interface %{interface->}.%{space->}Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("214001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Terminated manager session"), | |
}), | |
]), | |
}); | |
var msg538 = match({ | |
id: "MESSAGE#544:400047", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400047"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg539 = match({ | |
id: "MESSAGE#933:713219/2", | |
dissect: { | |
tokenizer: "Group = %{group->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select133 = linear_select([ | |
msg539, | |
]); | |
var msg540 = match({ | |
id: "MESSAGE#933:713219/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all143 = all_match({ | |
processors: [ | |
dup44, | |
select133, | |
msg540, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713219"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("messages enqueued"), | |
}), | |
]), | |
}); | |
var msg541 = match({ | |
id: "MESSAGE#1066:717005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg542 = match({ | |
id: "MESSAGE#1016:715046:01/1", | |
dissect: { | |
tokenizer: "%{->}Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select134 = linear_select([ | |
dup303, | |
msg542, | |
]); | |
var all144 = all_match({ | |
processors: [ | |
select134, | |
dup304, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715046:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all145 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715046"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select135 = linear_select([ | |
all144, | |
all145, | |
]); | |
var msg543 = match({ | |
id: "MESSAGE#1058:716051", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{hostip->}> Error adding dynamic ACL for user", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716051"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Error adding dynamic ACL for user"), | |
}), | |
]), | |
}); | |
var msg544 = match({ | |
id: "MESSAGE#1074:717024", | |
dissect: { | |
tokenizer: "Checking CRL from trustpoint: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717024"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg545 = match({ | |
id: "MESSAGE#1136:720044", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720044"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg546 = match({ | |
id: "MESSAGE#1202:725013", | |
dissect: { | |
tokenizer: "SSL Server %{interface->}:%{hostip->}/%{network_port->} choose cipher : %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725013"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SSL Server choose cipher"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg547 = match({ | |
id: "MESSAGE#112:108001/0", | |
dissect: { | |
tokenizer: "SMTP made noop: out %{fld1->} in %{fld2->} data%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg548 = match({ | |
id: "MESSAGE#112:108001/2", | |
dissect: { | |
tokenizer: ":%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select136 = linear_select([ | |
msg548, | |
]); | |
var msg549 = match({ | |
id: "MESSAGE#112:108001/2", | |
dissect: { | |
tokenizer: "%{->} %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all146 = all_match({ | |
processors: [ | |
msg547, | |
select136, | |
msg549, | |
], | |
on_success: processor_chain([ | |
dup195, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg550 = match({ | |
id: "MESSAGE#573:403104", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} requires mschap for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403104"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg551 = match({ | |
id: "MESSAGE#734:605002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg552 = match({ | |
id: "MESSAGE#837:709004", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709004"), | |
}), | |
dup38, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all147 = all_match({ | |
processors: [ | |
dup305, | |
dup304, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715049:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all148 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715049"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select137 = linear_select([ | |
all147, | |
all148, | |
]); | |
var msg553 = match({ | |
id: "MESSAGE#1268:751007", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} Configured attribute not supported for IKEv2. Attribute: %{obj_name->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("751007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Configured attribute not supported for IKEv2"), | |
}), | |
]), | |
}); | |
var msg554 = match({ | |
id: "MESSAGE#167:111003", | |
dissect: { | |
tokenizer: "%{hostip->} Erase configuration", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111003"), | |
}), | |
dup38, | |
dup108, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Erase configuration"), | |
}), | |
]), | |
}); | |
var msg555 = match({ | |
id: "MESSAGE#536:400039", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400039"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all149 = all_match({ | |
processors: [ | |
dup79, | |
dup80, | |
dup81, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715007"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup164, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg556 = match({ | |
id: "MESSAGE#995:715007:01", | |
dissect: { | |
tokenizer: "IKE got a KEY_ADD msg for SA: SPI = %{dst_spi->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup250, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715007:01"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup164, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE got a KEY_ADD msg for SA"), | |
}), | |
]), | |
}); | |
var select138 = linear_select([ | |
all149, | |
msg556, | |
]); | |
var msg557 = match({ | |
id: "MESSAGE#1048:716004/2", | |
dissect: { | |
tokenizer: "%{saddr->}> %{network_service->} access DENIED to specified location: %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all150 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg557, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716004"), | |
}), | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("access DENIED"), | |
}), | |
]), | |
}); | |
var msg558 = match({ | |
id: "MESSAGE#1206:730001", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> VLAN Mapping to VLAN \u003c\u003c%{instance->}>", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("730001"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("VLAN Mapping to VLAN"), | |
}), | |
]), | |
}); | |
var msg559 = match({ | |
id: "MESSAGE#1312:434004", | |
dissect: { | |
tokenizer: "SFR requested ASA to bypass further packet redirection and process %{protocol->} flow from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} locally", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("434004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SFR requested ASA to bypass further packet redirection"), | |
}), | |
]), | |
}); | |
var msg560 = match({ | |
id: "MESSAGE#377:305010", | |
dissect: { | |
tokenizer: "Teardown %{context->} translation from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305010"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var msg561 = match({ | |
id: "MESSAGE#378:305010:01", | |
dissect: { | |
tokenizer: "Teardown %{context->} translation from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} duration %{duration->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305010:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup295, | |
]), | |
}); | |
var select139 = linear_select([ | |
msg560, | |
msg561, | |
]); | |
var msg562 = match({ | |
id: "MESSAGE#871:713061", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{action->}:%{info->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713061"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("no matching crypto map entry"), | |
}), | |
]), | |
}); | |
var msg563 = match({ | |
id: "MESSAGE#89:106021", | |
dissect: { | |
tokenizer: "Deny %{protocol->} reverse path check from %{saddr->} to %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106021"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg564 = match({ | |
id: "MESSAGE#122:109001/0", | |
dissect: { | |
tokenizer: "Auth start for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg565 = match({ | |
id: "MESSAGE#122:109001/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all151 = all_match({ | |
processors: [ | |
msg564, | |
dup61, | |
msg565, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109001"), | |
}), | |
dup17, | |
dup60, | |
dup18, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Start_Session"), | |
}), | |
]), | |
}); | |
var msg566 = match({ | |
id: "MESSAGE#208:199007/0", | |
dissect: { | |
tokenizer: "Reload scheduled for %{fld1->} by %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg567 = match({ | |
id: "MESSAGE#208:199007/2", | |
dissect: { | |
tokenizer: "%{fld2->}. Reload reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all152 = all_match({ | |
processors: [ | |
msg566, | |
dup104, | |
msg567, | |
], | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199007"), | |
}), | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload scheduled"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg568 = match({ | |
id: "MESSAGE#336:302023", | |
dissect: { | |
tokenizer: "Teardown IP protocol %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} duration %{duration->} bytes %{bytes->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302023"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup306, | |
]), | |
}); | |
var msg569 = match({ | |
id: "MESSAGE#337:302023:01", | |
dissect: { | |
tokenizer: "Teardown stub %{protocol->} connection for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} forwarded bytes %{bytes->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302023:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select140 = linear_select([ | |
msg568, | |
msg569, | |
]); | |
var msg570 = match({ | |
id: "MESSAGE#1315:199017", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{fld6->}: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup264, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199017"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select141 = linear_select([ | |
dup308, | |
dup309, | |
]); | |
var all153 = all_match({ | |
processors: [ | |
dup307, | |
select141, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302026"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup311, | |
]), | |
}); | |
var msg571 = match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "%{daddr->}. %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all154 = all_match({ | |
processors: [ | |
dup312, | |
dup313, | |
msg571, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402116"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Bad ESP packet"), | |
}), | |
dup56, | |
]), | |
}); | |
var msg572 = match({ | |
id: "MESSAGE#844:710003", | |
dissect: { | |
tokenizer: "%{protocol->} access denied by ACL from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710003"), | |
}), | |
dup42, | |
dup43, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("access denied"), | |
}), | |
]), | |
}); | |
var msg573 = match({ | |
id: "MESSAGE#1143:720063", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720063"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg574 = match({ | |
id: "MESSAGE#180:113004/0", | |
dissect: { | |
tokenizer: "AAA user a%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg575 = match({ | |
id: "MESSAGE#180:113004/2", | |
dissect: { | |
tokenizer: "uthentication%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg576 = match({ | |
id: "MESSAGE#180:113004/2", | |
dissect: { | |
tokenizer: "uthorization%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg577 = match({ | |
id: "MESSAGE#180:113004/2", | |
dissect: { | |
tokenizer: "ccounting%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select142 = linear_select([ | |
msg575, | |
msg576, | |
msg577, | |
]); | |
var msg578 = match({ | |
id: "MESSAGE#180:113004/2", | |
dissect: { | |
tokenizer: "%{->}Successful : server = %{hostip->} : user = %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all155 = all_match({ | |
processors: [ | |
msg574, | |
select142, | |
msg578, | |
dup237, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113004"), | |
}), | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA user accounting/authentication successful"), | |
}), | |
]), | |
}); | |
var msg579 = match({ | |
id: "MESSAGE#637:415005", | |
dissect: { | |
tokenizer: "%{sigid->} Content type does not match specified type - %{listnum->} Content Verification Failed from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Content type does not match specified type"), | |
}), | |
]), | |
}); | |
var msg580 = match({ | |
id: "MESSAGE#704:507003/2", | |
dissect: { | |
tokenizer: "ud%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg581 = match({ | |
id: "MESSAGE#704:507003/2", | |
dissect: { | |
tokenizer: "tc%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select143 = linear_select([ | |
msg580, | |
msg581, | |
]); | |
var msg582 = match({ | |
id: "MESSAGE#704:507003/2", | |
dissect: { | |
tokenizer: "p flow from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} terminated by %{service->}, reason - %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all156 = all_match({ | |
processors: [ | |
dup44, | |
select143, | |
msg582, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("507003"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("tcp/udp flow terminated"), | |
}), | |
]), | |
}); | |
var msg583 = match({ | |
id: "MESSAGE#1116:720010", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720010"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg584 = match({ | |
id: "MESSAGE#404:311004", | |
dissect: { | |
tokenizer: "LU xmit thread up%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("311004"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU xmit thread up"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg585 = match({ | |
id: "MESSAGE#531:400034", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400034"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg586 = match({ | |
id: "MESSAGE#900:713133/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Mismatch: %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all157 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg586, | |
], | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713133"), | |
}), | |
dup7, | |
dup38, | |
dup39, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg587 = match({ | |
id: "MESSAGE#1113:720004", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720004"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all158 = all_match({ | |
processors: [ | |
dup44, | |
dup175, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715063"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg588 = match({ | |
id: "MESSAGE#359:304007", | |
dissect: { | |
tokenizer: "URL Server %{hostip->} not responding, ENTERING ALLOW mode", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg589 = match({ | |
id: "MESSAGE#379:305011:02", | |
dissect: { | |
tokenizer: "Built %{context->} %{protocol->} translation from %{sinterface->}:%{saddr->}/%{sport->}(%{fld51->}) to %{dinterface->}(%{fld52->}):%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305011:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup234, | |
]), | |
}); | |
var msg590 = match({ | |
id: "MESSAGE#380:305011/0", | |
dissect: { | |
tokenizer: "Built %{context->} %{protocol->} translation from %{sinterface->}:%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all159 = all_match({ | |
processors: [ | |
msg590, | |
dup296, | |
dup260, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305011"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup234, | |
]), | |
}); | |
var msg591 = match({ | |
id: "MESSAGE#381:305011:01/0", | |
dissect: { | |
tokenizer: "Built %{context->} %{protocol->} translation from %{sinterface->}:%{saddr->}/%{sport->} to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all160 = all_match({ | |
processors: [ | |
msg591, | |
dup297, | |
dup314, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305011:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup234, | |
]), | |
}); | |
var select144 = linear_select([ | |
msg589, | |
all159, | |
all160, | |
]); | |
var msg592 = match({ | |
id: "MESSAGE#747:609001", | |
dissect: { | |
tokenizer: "Built local-host %{interface->}:%{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("609001"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg593 = match({ | |
id: "MESSAGE#830:702303", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702303"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg594 = match({ | |
id: "MESSAGE#627:413001", | |
dissect: { | |
tokenizer: "Module in slot%{fld1->}is not able to shut down. %{space->} Module Error: %{fld2->} %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("413001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg595 = match({ | |
id: "MESSAGE#748:609002:01/0", | |
dissect: { | |
tokenizer: "Teardown local%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg596 = match({ | |
id: "MESSAGE#748:609002:01/2", | |
dissect: { | |
tokenizer: "host %{interface->}:%{hostip->} duration %{duration->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all161 = all_match({ | |
processors: [ | |
msg595, | |
dup115, | |
msg596, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("609002:01"), | |
}), | |
dup43, | |
dup42, | |
dup40, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup306, | |
]), | |
}); | |
var msg597 = match({ | |
id: "MESSAGE#799:620002:01", | |
dissect: { | |
tokenizer: "Unsupported CTIQBE version: %{fld1->}: from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("620002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg598 = match({ | |
id: "MESSAGE#800:620002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("620002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select145 = linear_select([ | |
msg597, | |
msg598, | |
]); | |
var msg599 = match({ | |
id: "MESSAGE#213:199908", | |
dissect: { | |
tokenizer: "%{protocol->} detected an attached application using local port %{sport->} and destination port %{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199908"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg600 = match({ | |
id: "MESSAGE#460:324007", | |
dissect: { | |
tokenizer: "Unable to create GTP connection for response from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to create GTP connection"), | |
}), | |
]), | |
}); | |
var msg601 = match({ | |
id: "MESSAGE#488:338302/0", | |
dissect: { | |
tokenizer: "Address %{hostip->} discovered for domain %{web_domain->} from %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg602 = match({ | |
id: "MESSAGE#488:338302/2", | |
dissect: { | |
tokenizer: "%{category->}.%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg603 = match({ | |
id: "MESSAGE#488:338302/2", | |
dissect: { | |
tokenizer: "%{category->},%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select146 = linear_select([ | |
msg602, | |
msg603, | |
]); | |
var msg604 = match({ | |
id: "MESSAGE#488:338302/2", | |
dissect: { | |
tokenizer: "%{->}Adding rule", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all162 = all_match({ | |
processors: [ | |
msg601, | |
select146, | |
msg604, | |
], | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338302"), | |
}), | |
dup164, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg605 = match({ | |
id: "MESSAGE#501:400004", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg606 = match({ | |
id: "MESSAGE#688:504002:01", | |
dissect: { | |
tokenizer: "Security context %{info->} was removed from the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("504002:01"), | |
}), | |
dup108, | |
dup38, | |
dup14, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security context removed"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg607 = match({ | |
id: "MESSAGE#689:504002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("504002"), | |
}), | |
dup108, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select147 = linear_select([ | |
msg606, | |
msg607, | |
]); | |
var msg608 = match({ | |
id: "MESSAGE#1256:746006", | |
dissect: { | |
tokenizer: "%{application->}: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746006"), | |
}), | |
dup3, | |
]), | |
}); | |
var msg609 = match({ | |
id: "MESSAGE#684:502112/0", | |
dissect: { | |
tokenizer: "Group policy deleted: name: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all163 = all_match({ | |
processors: [ | |
msg609, | |
dup315, | |
dup316, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1502040000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502112"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Group policy deleted"), | |
}), | |
]), | |
}); | |
var msg610 = match({ | |
id: "MESSAGE#752:611101/0", | |
dissect: { | |
tokenizer: "User authentication succeeded: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all164 = all_match({ | |
processors: [ | |
msg610, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611101"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup317, | |
]), | |
}); | |
var msg611 = match({ | |
id: "MESSAGE#753:611101:01/0", | |
dissect: { | |
tokenizer: "User authentication succeeded: IP address: %{saddr->}, Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all165 = all_match({ | |
processors: [ | |
msg611, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611101:01"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup317, | |
]), | |
}); | |
var select148 = linear_select([ | |
all164, | |
all165, | |
]); | |
var msg612 = match({ | |
id: "MESSAGE#884:713117/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->} Received Invalid SPI notify (SPI %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg613 = match({ | |
id: "MESSAGE#884:713117/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{saddr->}, Received Invalid SPI notify (SPI %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select149 = linear_select([ | |
msg612, | |
msg613, | |
]); | |
var msg614 = match({ | |
id: "MESSAGE#884:713117/2", | |
dissect: { | |
tokenizer: "%{dst_spi->})!", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all166 = all_match({ | |
processors: [ | |
dup9, | |
select149, | |
msg614, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713117"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received Invalid SPI notify"), | |
}), | |
]), | |
}); | |
var msg615 = match({ | |
id: "MESSAGE#1189:725005:01/0", | |
dissect: { | |
tokenizer: "SSL server %{sinterface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->} requesting our device certificate for authentication%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all167 = all_match({ | |
processors: [ | |
msg615, | |
dup254, | |
dup255, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725005:01"), | |
}), | |
dup2, | |
dup3, | |
dup318, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg616 = match({ | |
id: "MESSAGE#1190:725005", | |
dissect: { | |
tokenizer: "SSL server %{interface->}:%{hostip->}/%{network_port->} requesting our device certificate for authentication.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725005"), | |
}), | |
dup2, | |
dup3, | |
dup318, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select150 = linear_select([ | |
all167, | |
msg616, | |
]); | |
var msg617 = match({ | |
id: "MESSAGE#194:113019:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} Session Type: %{network_service->}, Duration: %{day->}d %{hour->}h:%{min->}m:%{second->}s, Bytes xmt: %{sbytes->}, Bytes rcv: %{rbytes->}, Reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all168 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg617, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup319, | |
dup4, | |
dup5, | |
call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%A%N%T%O"), | |
field("day"), | |
field("hour"), | |
field("min"), | |
field("second"), | |
], | |
}), | |
]), | |
}); | |
var msg618 = match({ | |
id: "MESSAGE#195:113019:02/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} Session Type: %{network_service->}, Duration: %{hour->}h:%{min->}m:%{second->}s, Bytes xmt: %{sbytes->}, Bytes rcv: %{rbytes->}, Reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all169 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg618, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019:02"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup319, | |
dup4, | |
dup5, | |
call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%N%U%O"), | |
field("hour"), | |
field("min"), | |
field("second"), | |
], | |
}), | |
]), | |
}); | |
var msg619 = match({ | |
id: "MESSAGE#196:113019/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} Session Type: %{network_service->}, Duration: %{duration->}, Bytes xmt: %{sbytes->}, Bytes rcv: %{rbytes->}, Reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all170 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg619, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113019"), | |
}), | |
dup2, | |
dup3, | |
dup319, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select151 = linear_select([ | |
all168, | |
all169, | |
all170, | |
]); | |
var msg620 = match({ | |
id: "MESSAGE#567:402126/0", | |
dissect: { | |
tokenizer: "CRYPTO: The %{product->} File %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg621 = match({ | |
id: "MESSAGE#567:402126/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{filename->}> as a Soft Reset was necessary. %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg622 = match({ | |
id: "MESSAGE#567:402126/2", | |
dissect: { | |
tokenizer: "'%{filename->}' as a Soft Reset was necessary. %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg623 = match({ | |
id: "MESSAGE#567:402126/2", | |
dissect: { | |
tokenizer: "%{filename->} as a Soft Reset was necessary. %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select152 = linear_select([ | |
msg621, | |
msg622, | |
msg623, | |
]); | |
var all171 = all_match({ | |
processors: [ | |
msg620, | |
select152, | |
dup316, | |
], | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402126"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Crypto archive - soft reset"), | |
}), | |
]), | |
}); | |
var msg624 = match({ | |
id: "MESSAGE#640:415008", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP RFC method illegal - %{listnum->} '%{protocol->}' from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP RFC method illegal"), | |
}), | |
]), | |
}); | |
var msg625 = match({ | |
id: "MESSAGE#641:415008:01", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP - matched %{fld1->} in policy-map %{policyname->}, header matched - Resetting connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415008:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select153 = linear_select([ | |
msg624, | |
msg625, | |
]); | |
var msg626 = match({ | |
id: "MESSAGE#663:421005/0", | |
dissect: { | |
tokenizer: "%{interface->}:%{hostip->} is counted as a user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg627 = match({ | |
id: "MESSAGE#663:421005/2", | |
dissect: { | |
tokenizer: "for%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg628 = match({ | |
id: "MESSAGE#663:421005/2", | |
dissect: { | |
tokenizer: "of%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select154 = linear_select([ | |
msg627, | |
msg628, | |
]); | |
var msg629 = match({ | |
id: "MESSAGE#663:421005/2", | |
dissect: { | |
tokenizer: "%{->} %{product->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all172 = all_match({ | |
processors: [ | |
msg626, | |
select154, | |
msg629, | |
], | |
on_success: processor_chain([ | |
dup186, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("421005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg630 = match({ | |
id: "MESSAGE#631:414002", | |
dissect: { | |
tokenizer: "Failed to save logging buffer to flash:/syslog directory using filename: %{filename->}: [%{result->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("414002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg631 = match({ | |
id: "MESSAGE#35:105010", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105010"), | |
}), | |
dup2, | |
dup3, | |
dup167, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg632 = match({ | |
id: "MESSAGE#267:219002", | |
dissect: { | |
tokenizer: "%{service->} error, slot = %{fld1->}, device = %{fld2->}, address = %{fld3->}, byte count = %{bytes->}. Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("219002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("i2c_read_block_w_suspend() error"), | |
}), | |
]), | |
}); | |
var msg633 = match({ | |
id: "MESSAGE#1126:720032", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720032"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg634 = match({ | |
id: "MESSAGE#1209:731001", | |
dissect: { | |
tokenizer: "NAC policy added: name: \u003c\u003c%{policyname->}> Type: \u003c\u003c %{info->} >", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501020000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("731001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("NAC policy added"), | |
}), | |
]), | |
}); | |
var msg635 = match({ | |
id: "MESSAGE#84:106017", | |
dissect: { | |
tokenizer: "Deny IP due to Land Attack from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106017"), | |
}), | |
dup99, | |
dup320, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg636 = match({ | |
id: "MESSAGE#85:106017:01", | |
dissect: { | |
tokenizer: "Packet contains ActiveX content and has been modified src %{saddr->} dest to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106017:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select155 = linear_select([ | |
msg635, | |
msg636, | |
]); | |
var msg637 = match({ | |
id: "MESSAGE#939:713227", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{action->} for peer %{fld1->}. %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713227"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg638 = match({ | |
id: "MESSAGE#1302:717045", | |
dissect: { | |
tokenizer: "Local CA Server CRL info: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717045"), | |
}), | |
dup14, | |
dup2, | |
dup5, | |
dup3, | |
]), | |
}); | |
var msg639 = match({ | |
id: "MESSAGE#203:199002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg640 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "\"\"%{username->}\"\" disconnected by SSH server, reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg641 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "\"%{username->}\" disconnected by SSH server, reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg642 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "'%{username->}' disconnected by SSH server, reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg643 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "%{username->} disconnected by SSH server, reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select156 = linear_select([ | |
msg640, | |
msg641, | |
msg642, | |
msg643, | |
]); | |
var msg644 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "\"\"%{result->}\"\" ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg645 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "\"%{result->}\" ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg646 = match({ | |
id: "MESSAGE#419:315011/2", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select157 = linear_select([ | |
msg644, | |
msg645, | |
msg646, | |
]); | |
var all173 = all_match({ | |
processors: [ | |
dup321, | |
select156, | |
select157, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session disconnected"), | |
}), | |
]), | |
}); | |
var msg647 = match({ | |
id: "MESSAGE#420:315011:01/1", | |
dissect: { | |
tokenizer: "\"\"%{username->}\"\" terminated normally", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg648 = match({ | |
id: "MESSAGE#420:315011:01/1", | |
dissect: { | |
tokenizer: "\"%{username->}\" terminated normally", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg649 = match({ | |
id: "MESSAGE#420:315011:01/1", | |
dissect: { | |
tokenizer: "'%{username->}' terminated normally", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg650 = match({ | |
id: "MESSAGE#420:315011:01/1", | |
dissect: { | |
tokenizer: "%{username->} terminated normally", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select158 = linear_select([ | |
msg647, | |
msg648, | |
msg649, | |
msg650, | |
]); | |
var all174 = all_match({ | |
processors: [ | |
dup321, | |
select158, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315011:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("terminated normally"), | |
}), | |
]), | |
}); | |
var select159 = linear_select([ | |
all173, | |
all174, | |
]); | |
var msg651 = match({ | |
id: "MESSAGE#947:713240", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Received DH key with bad length: received length=%{observed_val->} expected length=%{expected_val->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713240"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received DH key with bad length"), | |
}), | |
]), | |
}); | |
var msg652 = match({ | |
id: "MESSAGE#1265:750003", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} Negotiation aborted due to ERROR: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Negotiation aborted due to ERROR"), | |
}), | |
]), | |
}); | |
var msg653 = match({ | |
id: "MESSAGE#801:622001/2", | |
dissect: { | |
tokenizer: "Add%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg654 = match({ | |
id: "MESSAGE#801:622001/2", | |
dissect: { | |
tokenizer: "Remov%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select160 = linear_select([ | |
msg653, | |
msg654, | |
]); | |
var msg655 = match({ | |
id: "MESSAGE#801:622001/2", | |
dissect: { | |
tokenizer: "ing tracked route %{info->}, distance %{dclass_counter1->}, table %{filename->}, on interface %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all175 = all_match({ | |
processors: [ | |
dup44, | |
select160, | |
msg655, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("622001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Adding/Removing tracked route on interface"), | |
}), | |
]), | |
}); | |
var msg656 = match({ | |
id: "MESSAGE#155:109032/0", | |
dissect: { | |
tokenizer: "Unable to install ACL '%{listnum->}', downloaded for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg657 = match({ | |
id: "MESSAGE#155:109032/2", | |
dissect: { | |
tokenizer: "'%{username->}' ; Error in ACE: '%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg658 = match({ | |
id: "MESSAGE#155:109032/2", | |
dissect: { | |
tokenizer: "%{username->} ; Error in ACE: '%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select161 = linear_select([ | |
msg657, | |
msg658, | |
]); | |
var msg659 = match({ | |
id: "MESSAGE#155:109032/2", | |
dissect: { | |
tokenizer: "%{result->}'", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all176 = all_match({ | |
processors: [ | |
msg656, | |
select161, | |
msg659, | |
], | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109032"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg660 = match({ | |
id: "MESSAGE#262:213003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("213003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg661 = match({ | |
id: "MESSAGE#411:313005", | |
dissect: { | |
tokenizer: "No matching connection for ICMP error message: icmp src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->}) on %{interface->} interface. Original IP payload:%{info->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313005"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No matching connection for error message"), | |
}), | |
]), | |
}); | |
var msg662 = match({ | |
id: "MESSAGE#683:502111/0", | |
dissect: { | |
tokenizer: "New group policy added: name: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all177 = all_match({ | |
processors: [ | |
msg662, | |
dup315, | |
dup316, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1502030000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502111"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("New group policy added"), | |
}), | |
]), | |
}); | |
var msg663 = match({ | |
id: "MESSAGE#158:109039", | |
dissect: { | |
tokenizer: "uauth_pickapp: Uauth Unproxy Failed due to the reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109039"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Uauth Unproxy Failed"), | |
}), | |
]), | |
}); | |
var msg664 = match({ | |
id: "MESSAGE#286:302007", | |
dissect: { | |
tokenizer: "Built conduit from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} IP version %{fld1->} protocol %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302007"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var msg665 = match({ | |
id: "MESSAGE#375:305008", | |
dissect: { | |
tokenizer: "Free unallocated global IP address.%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("trying to free unallocated global address"), | |
}), | |
]), | |
}); | |
var msg666 = match({ | |
id: "MESSAGE#622:411002/0", | |
dissect: { | |
tokenizer: "Line protocol on %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all178 = all_match({ | |
processors: [ | |
msg666, | |
dup266, | |
dup322, | |
dup323, | |
], | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg667 = match({ | |
id: "MESSAGE#648:416001", | |
dissect: { | |
tokenizer: "Dropped UDP SNMP packet from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}; %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("416001"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("dropped UDP SNMP packet"), | |
}), | |
]), | |
}); | |
var msg668 = match({ | |
id: "MESSAGE#1290:313008:01", | |
dissect: { | |
tokenizer: "Denied IPv6-ICMP type=%{icmptype->}, code=%{icmpcode->} from %{saddr->} on interface %{interface->} (where %{fld3->} was an IPv6 source address).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313008:01"), | |
}), | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
dup325, | |
]), | |
}); | |
var msg669 = match({ | |
id: "MESSAGE#1291:313008", | |
dissect: { | |
tokenizer: "Denied IPv6-ICMP type=%{icmptype->}, code=%{icmpcode->} from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313008"), | |
}), | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
dup325, | |
]), | |
}); | |
var select162 = linear_select([ | |
msg668, | |
msg669, | |
]); | |
var msg670 = match({ | |
id: "MESSAGE#1300:769001", | |
dissect: { | |
tokenizer: "UPDATE: ASA image %{fld1->} was added to system boot list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("769001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ASA image was added to system boot list"), | |
}), | |
]), | |
}); | |
var msg671 = match({ | |
id: "MESSAGE#190:113013/0", | |
dissect: { | |
tokenizer: "AAA unable to complete the request Error : reason = %{result->}: user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all179 = all_match({ | |
processors: [ | |
msg671, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113013"), | |
}), | |
dup17, | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA unable to complete the request"), | |
}), | |
]), | |
}); | |
var msg672 = match({ | |
id: "MESSAGE#397:308002", | |
dissect: { | |
tokenizer: "static %{fld1->} %{fld2->} %{fld3->} %{fld4->} overlapped with %{fld5->} %{fld6->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("308002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg673 = match({ | |
id: "MESSAGE#402:311002", | |
dissect: { | |
tokenizer: "LU loading standby end%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup326, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("311002"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("LU loading standby end"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg674 = match({ | |
id: "MESSAGE#510:400013", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg675 = match({ | |
id: "MESSAGE#166:111002", | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip->} reading from %{device->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111002"), | |
}), | |
dup38, | |
dup327, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Begin configuration reading from device"), | |
}), | |
]), | |
}); | |
var msg676 = match({ | |
id: "MESSAGE#780:612001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("612001"), | |
}), | |
dup13, | |
dup38, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg677 = match({ | |
id: "MESSAGE#1101:718049", | |
dissect: { | |
tokenizer: "Created secure tunnel to peer %{space->} [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718049"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Created secure tunnel to peer"), | |
}), | |
]), | |
}); | |
var msg678 = match({ | |
id: "MESSAGE#249:210020", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210020"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg679 = match({ | |
id: "MESSAGE#450:323002", | |
dissect: { | |
tokenizer: "Module in slot %{fld1->} is not able to shut down, shut down request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("323002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg680 = match({ | |
id: "MESSAGE#1200:725012", | |
dissect: { | |
tokenizer: "Device chooses cipher : %{fld1->} for the SSL session with client %{interface->}:%{hostip->}/%{network_port->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup328, | |
]), | |
}); | |
var msg681 = match({ | |
id: "MESSAGE#1201:725012:01", | |
dissect: { | |
tokenizer: "Device chooses cipher %{fld1->} for the SSL session with client %{sinterface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725012:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup328, | |
]), | |
}); | |
var select163 = linear_select([ | |
msg680, | |
msg681, | |
]); | |
var msg682 = match({ | |
id: "MESSAGE#1293:713203", | |
dissect: { | |
tokenizer: "IKE Receiver: Error reading from socket.%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713203"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Receiver: Error"), | |
}), | |
]), | |
}); | |
var msg683 = match({ | |
id: "MESSAGE#222:201006", | |
dissect: { | |
tokenizer: "RCMD backconnection failed for %{hostip->}/%{network_port->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201006"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("RCMD back connection failed"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var all180 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup329, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713218"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup330, | |
]), | |
}); | |
var msg684 = match({ | |
id: "MESSAGE#1322:CISCOASA_GENERIC_02", | |
dissect: { | |
tokenizer: "%{group->}-%{level->}-%{p_msgid->}: %{fld->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup331, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("CISCOASA_GENERIC_02"), | |
}), | |
dup4, | |
dup332, | |
dup333, | |
dup334, | |
]), | |
}); | |
var msg685 = match({ | |
id: "MESSAGE#1323:CISCOASA_GENERIC_01", | |
dissect: { | |
tokenizer: "%{level->}-%{p_msgid->}: %{fld->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup331, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("CISCOASA_GENERIC_01"), | |
}), | |
dup4, | |
dup332, | |
dup333, | |
dup334, | |
]), | |
}); | |
var select164 = linear_select([ | |
msg684, | |
msg685, | |
]); | |
var msg686 = match({ | |
id: "MESSAGE#41:105034", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105034"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg687 = match({ | |
id: "MESSAGE#42:105034:01", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105034:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select165 = linear_select([ | |
msg686, | |
msg687, | |
]); | |
var msg688 = match({ | |
id: "MESSAGE#435:318008", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup94, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg689 = match({ | |
id: "MESSAGE#731:604103/0", | |
dissect: { | |
tokenizer: "%{event_description->} (%{saddr->})", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select166 = linear_select([ | |
msg689, | |
dup141, | |
]); | |
var all181 = all_match({ | |
processors: [ | |
select166, | |
], | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("604103"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg690 = match({ | |
id: "MESSAGE#1062:717001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg691 = match({ | |
id: "MESSAGE#572:403103", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403103"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg692 = match({ | |
id: "MESSAGE#998:715019/2", | |
dissect: { | |
tokenizer: "%{saddr->}, IKEGetUserAttributes: %{change_attribute->} = %{change_new->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all182 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg692, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715019"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup335, | |
]), | |
}); | |
var msg693 = match({ | |
id: "MESSAGE#999:715019:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKEGetUserAttributes: %{change_attribute->} = %{change_new->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715019:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup335, | |
]), | |
}); | |
var select167 = linear_select([ | |
all182, | |
msg693, | |
]); | |
var msg694 = match({ | |
id: "MESSAGE#1056:716043/2", | |
dissect: { | |
tokenizer: "%{saddr->}> %{network_service->} Java applet started. %{info->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all183 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg694, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716043"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Java applet started"), | |
}), | |
]), | |
}); | |
var msg695 = match({ | |
id: "MESSAGE#1171:722036/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->})> Transmitting large packet %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg696 = match({ | |
id: "MESSAGE#1171:722036/3", | |
dissect: { | |
tokenizer: "%{saddr->}> Transmitting large packet %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select168 = linear_select([ | |
msg695, | |
msg696, | |
]); | |
var msg697 = match({ | |
id: "MESSAGE#1171:722036/3", | |
dissect: { | |
tokenizer: "%{bytes->} (%{info->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all184 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select168, | |
msg697, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722036"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("transmission error transmitting large packet"), | |
}), | |
]), | |
}); | |
var msg698 = match({ | |
id: "MESSAGE#9:120001", | |
dissect: { | |
tokenizer: "Call-Home Module started%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120001"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home Module started"), | |
}), | |
]), | |
}); | |
var msg699 = match({ | |
id: "MESSAGE#252:211001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("211001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg700 = match({ | |
id: "MESSAGE#407:313003", | |
dissect: { | |
tokenizer: "Invalid destination %{result->} destination %{fld1->} on %{interface->} interface. %{space->} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup259, | |
dup336, | |
]), | |
}); | |
var msg701 = match({ | |
id: "MESSAGE#408:313003:01", | |
dissect: { | |
tokenizer: "Invalid destination %{result->} on %{interface->} interface. %{space->} Original IP payload", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313003:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup336, | |
]), | |
}); | |
var select169 = linear_select([ | |
msg700, | |
msg701, | |
]); | |
var msg702 = match({ | |
id: "MESSAGE#473:338003/4", | |
dissect: { | |
tokenizer: "ed blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{fld3->}/%{mask->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all185 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup213, | |
dup214, | |
msg702, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338003"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg703 = match({ | |
id: "MESSAGE#22:104002", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->} (cause: %{result->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104002"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg704 = match({ | |
id: "MESSAGE#23:104002:01", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->} - %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select170 = linear_select([ | |
msg703, | |
msg704, | |
]); | |
var msg705 = match({ | |
id: "MESSAGE#124:109003", | |
dissect: { | |
tokenizer: "Auth from %{saddr->} to %{daddr->}/%{dport->} failed (all servers failed) on interface %{sinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109003"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup291, | |
dup337, | |
]), | |
}); | |
var msg706 = match({ | |
id: "MESSAGE#125:109003:01/0", | |
dissect: { | |
tokenizer: "Auth from %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg707 = match({ | |
id: "MESSAGE#125:109003:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg708 = match({ | |
id: "MESSAGE#125:109003:01/2", | |
dissect: { | |
tokenizer: "%{saddr->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select171 = linear_select([ | |
msg707, | |
msg708, | |
]); | |
var msg709 = match({ | |
id: "MESSAGE#125:109003:01/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} failed (%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg710 = match({ | |
id: "MESSAGE#125:109003:01/3", | |
dissect: { | |
tokenizer: "%{daddr->} failed (%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select172 = linear_select([ | |
msg709, | |
msg710, | |
]); | |
var msg711 = match({ | |
id: "MESSAGE#125:109003:01/3", | |
dissect: { | |
tokenizer: "all servers failed) %{->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg712 = match({ | |
id: "MESSAGE#125:109003:01/3", | |
dissect: { | |
tokenizer: "server %{hostip->} failed) ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select173 = linear_select([ | |
msg711, | |
msg712, | |
]); | |
var all186 = all_match({ | |
processors: [ | |
msg706, | |
select171, | |
select172, | |
select173, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109003:01"), | |
}), | |
dup18, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup291, | |
dup337, | |
]), | |
}); | |
var select174 = linear_select([ | |
msg705, | |
all186, | |
]); | |
var msg713 = match({ | |
id: "MESSAGE#854:713020", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->} payload: %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713020"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg714 = match({ | |
id: "MESSAGE#975:713906:01/1", | |
dissect: { | |
tokenizer: "%{->} %{event_description->} flags %{fld5->}, refcnt %{fld6->}, tuncnt %{fld7->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg715 = match({ | |
id: "MESSAGE#975:713906:01/1", | |
dissect: { | |
tokenizer: "%{->} %{event_description->} %{fld9->} flags %{fld5->}, refcnt %{fld6->}, tuncnt %{fld7->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg716 = match({ | |
id: "MESSAGE#975:713906:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} (%{fld1->}) %{fld2->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select175 = linear_select([ | |
dup340, | |
msg714, | |
msg715, | |
msg716, | |
dup304, | |
]); | |
var all187 = all_match({ | |
processors: [ | |
dup339, | |
select175, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg717 = match({ | |
id: "MESSAGE#976:713906:03/1", | |
dissect: { | |
tokenizer: "%{event_description->} flags %{fld1->}, refcnt %{fld2->}, tuncnt %{fld3->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg718 = match({ | |
id: "MESSAGE#976:713906:03/1", | |
dissect: { | |
tokenizer: "%{event_description->} for remote peer %{fld1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select176 = linear_select([ | |
msg717, | |
dup340, | |
msg718, | |
dup304, | |
]); | |
var all188 = all_match({ | |
processors: [ | |
dup341, | |
select176, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906:03"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg719 = match({ | |
id: "MESSAGE#977:713906/1", | |
dissect: { | |
tokenizer: "%{->}Responder: %{event_description->} TCP port: %{network_port->} peer TCP port: %{fld1->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select177 = linear_select([ | |
msg719, | |
dup304, | |
]); | |
var all189 = all_match({ | |
processors: [ | |
dup342, | |
select177, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg720 = match({ | |
id: "MESSAGE#978:713906:02", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713906:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select178 = linear_select([ | |
all187, | |
all188, | |
all189, | |
msg720, | |
]); | |
var msg721 = match({ | |
id: "MESSAGE#702:507001", | |
dissect: { | |
tokenizer: "Terminating TCP-Proxy connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} - %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("507001"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("TCP-Proxy connection terminated"), | |
}), | |
]), | |
}); | |
var msg722 = match({ | |
id: "MESSAGE#1023:715050", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715050"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg723 = match({ | |
id: "MESSAGE#191:113014/0", | |
dissect: { | |
tokenizer: "AAA auth%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg724 = match({ | |
id: "MESSAGE#191:113014/2", | |
dissect: { | |
tokenizer: "ation server not accessible : server = %{hostip->} : user = %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all190 = all_match({ | |
processors: [ | |
msg723, | |
dup343, | |
msg724, | |
dup237, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113014"), | |
}), | |
dup17, | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("server not accessible"), | |
}), | |
]), | |
}); | |
var msg725 = match({ | |
id: "MESSAGE#270:302001", | |
dissect: { | |
tokenizer: "Built inbound TCP connection %{fld1->} for faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
]), | |
}); | |
var msg726 = match({ | |
id: "MESSAGE#271:302001:01", | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1->} for faddr %{daddr->}/%{dport->} gaddr %{hostip->}/%{network_port->} laddr %{saddr->}/%{sport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302001:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
]), | |
}); | |
var msg727 = match({ | |
id: "MESSAGE#272:302001:02", | |
dissect: { | |
tokenizer: "Built TCP connection %{fld1->} for faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302001:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg728 = match({ | |
id: "MESSAGE#273:302001:03", | |
dissect: { | |
tokenizer: "Built outbound TCP connection %{fld1->} for %{dinterface->}:%{daddr->}/%{dport->} (%{hostip->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302001:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg729 = match({ | |
id: "MESSAGE#274:302001:04", | |
dissect: { | |
tokenizer: "Built %{direction->} TCP connection %{fld1->} for %{sinterface->}:%{saddr->}/%{sport->} (%{hostip->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302001:04"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select179 = linear_select([ | |
msg725, | |
msg726, | |
msg727, | |
msg728, | |
msg729, | |
]); | |
var msg730 = match({ | |
id: "MESSAGE#464:331001", | |
dissect: { | |
tokenizer: "Dynamic DNS Update for '%{domain->}' \u003c\u003c=> %{hostip->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup229, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("331001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic DNS Update failed"), | |
}), | |
]), | |
}); | |
var msg731 = match({ | |
id: "MESSAGE#674:500001", | |
dissect: { | |
tokenizer: "ActiveX content modified src %{saddr->} dest %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("500001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg732 = match({ | |
id: "MESSAGE#199:113023", | |
dissect: { | |
tokenizer: "AAA Marking %{protocol->} server %{hostip->} in aaa-server group %{fld1->} as ACTIVE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113023"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA marking Server as ACTIVE"), | |
}), | |
]), | |
}); | |
var msg733 = match({ | |
id: "MESSAGE#283:313009", | |
dissect: { | |
tokenizer: "Denied invalid %{protocol->} code %{icmpcode->}, for %{sinterface->}:%{saddr->}/%{sport->} (%{hostip->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld3->}), ICMP id %{fld4->}, ICMP type %{icmptype->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313009"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
]), | |
}); | |
var msg734 = match({ | |
id: "MESSAGE#612:409010", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg735 = match({ | |
id: "MESSAGE#1125:720029", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720029"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all191 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
dup168, | |
], | |
on_success: processor_chain([ | |
dup169, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("724003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg736 = match({ | |
id: "MESSAGE#79:106014/0", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg737 = match({ | |
id: "MESSAGE#79:106014/2", | |
dissect: { | |
tokenizer: "ICMP%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg738 = match({ | |
id: "MESSAGE#79:106014/2", | |
dissect: { | |
tokenizer: "icmp%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select180 = linear_select([ | |
msg737, | |
msg738, | |
]); | |
var msg739 = match({ | |
id: "MESSAGE#79:106014/2", | |
dissect: { | |
tokenizer: "%{->}src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all192 = all_match({ | |
processors: [ | |
msg736, | |
select180, | |
msg739, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106014"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup259, | |
dup196, | |
]), | |
}); | |
var all193 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup329, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713060"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup330, | |
]), | |
}); | |
var msg740 = match({ | |
id: "MESSAGE#1121:720025", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720025"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg741 = match({ | |
id: "MESSAGE#1137:720045", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720045"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg742 = match({ | |
id: "MESSAGE#350:303005", | |
dissect: { | |
tokenizer: "Strict FTP inspection matched Class 25: %{info->}, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Strict FTP inspection matched Class 25"), | |
}), | |
]), | |
}); | |
var msg743 = match({ | |
id: "MESSAGE#497:400000", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400000"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg744 = match({ | |
id: "MESSAGE#1226:735012", | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1->}: Fan Failure Detected", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735012"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply Fan Failure Detected"), | |
}), | |
]), | |
}); | |
var msg745 = match({ | |
id: "MESSAGE#797:620001:01/0", | |
dissect: { | |
tokenizer: "Pre-allocate CTIQBE RT%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select181 = linear_select([ | |
dup344, | |
]); | |
var msg746 = match({ | |
id: "MESSAGE#797:620001:01/2", | |
dissect: { | |
tokenizer: "P secondary channel for %{sinterface->}: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg747 = match({ | |
id: "MESSAGE#797:620001:01/6", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} from %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg748 = match({ | |
id: "MESSAGE#797:620001:01/6", | |
dissect: { | |
tokenizer: "%{daddr->} from %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select182 = linear_select([ | |
msg747, | |
msg748, | |
]); | |
var msg749 = match({ | |
id: "MESSAGE#797:620001:01/6", | |
dissect: { | |
tokenizer: "%{fld1->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all194 = all_match({ | |
processors: [ | |
msg745, | |
select181, | |
msg746, | |
dup345, | |
dup346, | |
select182, | |
msg749, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("620001:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup347, | |
]), | |
}); | |
var msg750 = match({ | |
id: "MESSAGE#798:620001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("620001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select183 = linear_select([ | |
all194, | |
msg750, | |
]); | |
var msg751 = match({ | |
id: "MESSAGE#1297:752003", | |
dissect: { | |
tokenizer: "Tunnel Manager dispatching a %{info->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel Manager dispatching"), | |
}), | |
]), | |
}); | |
var msg752 = match({ | |
id: "MESSAGE#209:199008/0", | |
dissect: { | |
tokenizer: "Scheduled reload for %{fld1->} cancelled by %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg753 = match({ | |
id: "MESSAGE#209:199008/2", | |
dissect: { | |
tokenizer: "%{fld2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all195 = all_match({ | |
processors: [ | |
msg752, | |
dup104, | |
msg753, | |
], | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199008"), | |
}), | |
dup17, | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Scheduled reload"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg754 = match({ | |
id: "MESSAGE#366:305004", | |
dissect: { | |
tokenizer: "Teardown portmap translation for global %{hostip->}/%{network_port->} local %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("305004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown portmap translation"), | |
}), | |
]), | |
}); | |
var msg755 = match({ | |
id: "MESSAGE#604:409002", | |
dissect: { | |
tokenizer: "%{fld1->}: external LSA %{hostip->} %{fld->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg756 = match({ | |
id: "MESSAGE#788:615001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("615001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg757 = match({ | |
id: "MESSAGE#1045:716001/2", | |
dissect: { | |
tokenizer: "%{saddr->}> %{network_service->} session started", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all196 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg757, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716001"), | |
}), | |
dup18, | |
dup17, | |
dup106, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session started"), | |
}), | |
]), | |
}); | |
var msg758 = match({ | |
id: "MESSAGE#258:212005/0", | |
dissect: { | |
tokenizer: "%{direction->} %{protocol->} request (%{bytes->} bytes) %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg759 = match({ | |
id: "MESSAGE#258:212005/2", | |
dissect: { | |
tokenizer: "from IP address %{saddr->} Port %{sport->} Interface \"%{interface->}\" exceeds data buffer %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg760 = match({ | |
id: "MESSAGE#258:212005/2", | |
dissect: { | |
tokenizer: "on interface %{interface->} exceeds data buffer %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select184 = linear_select([ | |
msg759, | |
msg760, | |
]); | |
var msg761 = match({ | |
id: "MESSAGE#258:212005/3", | |
dissect: { | |
tokenizer: "SIZE%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg762 = match({ | |
id: "MESSAGE#258:212005/3", | |
dissect: { | |
tokenizer: "size%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select185 = linear_select([ | |
msg761, | |
msg762, | |
]); | |
var msg763 = match({ | |
id: "MESSAGE#258:212005/3", | |
dissect: { | |
tokenizer: ", %{result->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all197 = all_match({ | |
processors: [ | |
msg758, | |
select184, | |
select185, | |
msg763, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("incoming request exceeds data buffer size"), | |
}), | |
]), | |
}); | |
var msg764 = match({ | |
id: "MESSAGE#705:508001/0", | |
dissect: { | |
tokenizer: "DCERPC %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg765 = match({ | |
id: "MESSAGE#705:508001/2", | |
dissect: { | |
tokenizer: "unknown%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg766 = match({ | |
id: "MESSAGE#705:508001/2", | |
dissect: { | |
tokenizer: "request%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select186 = linear_select([ | |
msg765, | |
msg766, | |
]); | |
var msg767 = match({ | |
id: "MESSAGE#705:508001/2", | |
dissect: { | |
tokenizer: "%{->}non-standard major version %{version->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all198 = all_match({ | |
processors: [ | |
msg764, | |
select186, | |
msg767, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("508001"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DCERPC unknown non-standard major version on connection"), | |
}), | |
]), | |
}); | |
var msg768 = match({ | |
id: "MESSAGE#772:611316", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup59, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611316"), | |
}), | |
dup7, | |
dup60, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg769 = match({ | |
id: "MESSAGE#917:713172/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, Automatic NAT Detection Status:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg770 = match({ | |
id: "MESSAGE#917:713172/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Automatic NAT Detection Status:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg771 = match({ | |
id: "MESSAGE#917:713172/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Automatic NAT Detection Status:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select187 = linear_select([ | |
msg769, | |
msg770, | |
msg771, | |
]); | |
var all199 = all_match({ | |
processors: [ | |
dup44, | |
select187, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713172"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg772 = match({ | |
id: "MESSAGE#121:108006", | |
dissect: { | |
tokenizer: "Detected %{network_service->} size violation from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}; %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Detected ESMTP size violation"), | |
}), | |
]), | |
}); | |
var msg773 = match({ | |
id: "MESSAGE#325:302020/0", | |
dissect: { | |
tokenizer: "Built inbound ICMP connection for faddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg774 = match({ | |
id: "MESSAGE#325:302020/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{domain->}\\%{fld1->}) gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg775 = match({ | |
id: "MESSAGE#325:302020/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{fld20->}) gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg776 = match({ | |
id: "MESSAGE#325:302020/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg777 = match({ | |
id: "MESSAGE#325:302020/2", | |
dissect: { | |
tokenizer: "%{saddr->}(%{fld11->}) gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg778 = match({ | |
id: "MESSAGE#325:302020/2", | |
dissect: { | |
tokenizer: "%{saddr->} gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select188 = linear_select([ | |
msg774, | |
msg775, | |
msg776, | |
msg777, | |
msg778, | |
]); | |
var msg779 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{hostip->}/%{fld4->} laddr %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select189 = linear_select([ | |
msg779, | |
dup348, | |
]); | |
var msg780 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} (%{fld12->}) type %{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg781 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} type %{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg782 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{username->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg783 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg784 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}(%{fld10->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg785 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{daddr->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select190 = linear_select([ | |
msg780, | |
msg781, | |
msg782, | |
msg783, | |
msg784, | |
msg785, | |
]); | |
var all200 = all_match({ | |
processors: [ | |
msg773, | |
select188, | |
select189, | |
select190, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup192, | |
]), | |
}); | |
var msg786 = match({ | |
id: "MESSAGE#326:302020:04/0", | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{daddr->}/%{dport->}(%{domain->}\\%{username->}) gaddr %{hostip->}/%{fld4->} laddr %{saddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg787 = match({ | |
id: "MESSAGE#326:302020:04/1", | |
dissect: { | |
tokenizer: "%{sport->}(%{fld10->})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select191 = linear_select([ | |
msg787, | |
dup349, | |
dup350, | |
]); | |
var all201 = all_match({ | |
processors: [ | |
msg786, | |
select191, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:04"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup194, | |
]), | |
}); | |
var msg788 = match({ | |
id: "MESSAGE#327:302020:03/0", | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{daddr->}/%{dport->} gaddr %{hostip->}/%{fld4->} laddr %{saddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg789 = match({ | |
id: "MESSAGE#327:302020:03/1", | |
dissect: { | |
tokenizer: "%{sport->}(%{domain->}\\%{username->})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg790 = match({ | |
id: "MESSAGE#327:302020:03/1", | |
dissect: { | |
tokenizer: "%{sport->}(%{fld20->}) type %{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg791 = match({ | |
id: "MESSAGE#327:302020:03/1", | |
dissect: { | |
tokenizer: "%{sport->}(%{username->})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select192 = linear_select([ | |
msg789, | |
msg790, | |
dup349, | |
msg791, | |
dup350, | |
]); | |
var all202 = all_match({ | |
processors: [ | |
msg788, | |
select192, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup194, | |
]), | |
}); | |
var msg792 = match({ | |
id: "MESSAGE#328:302020:05/0", | |
dissect: { | |
tokenizer: "Built inbound ICMP connection for faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{fld4->} laddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg793 = match({ | |
id: "MESSAGE#328:302020:05/1", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{fld10->})", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg794 = match({ | |
id: "MESSAGE#328:302020:05/1", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select193 = linear_select([ | |
msg793, | |
msg794, | |
]); | |
var all203 = all_match({ | |
processors: [ | |
msg792, | |
select193, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:05"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup192, | |
]), | |
}); | |
var msg795 = match({ | |
id: "MESSAGE#329:302020:01/0", | |
dissect: { | |
tokenizer: "Built outbound ICMP connection for faddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg796 = match({ | |
id: "MESSAGE#329:302020:01/2", | |
dissect: { | |
tokenizer: "%{daddr->}(%{fld10->}) gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg797 = match({ | |
id: "MESSAGE#329:302020:01/2", | |
dissect: { | |
tokenizer: "%{daddr->} gaddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select194 = linear_select([ | |
msg796, | |
msg797, | |
]); | |
var msg798 = match({ | |
id: "MESSAGE#329:302020:01/3", | |
dissect: { | |
tokenizer: "%{saddr->}(%{fld11->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg799 = match({ | |
id: "MESSAGE#329:302020:01/3", | |
dissect: { | |
tokenizer: "%{saddr->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select195 = linear_select([ | |
msg798, | |
msg799, | |
]); | |
var all204 = all_match({ | |
processors: [ | |
msg795, | |
select194, | |
dup348, | |
select195, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup194, | |
]), | |
}); | |
var msg800 = match({ | |
id: "MESSAGE#330:302020:02", | |
dissect: { | |
tokenizer: "Built ICMP connection for faddr %{saddr->} gaddr %{hostip->} laddr %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302020:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select196 = linear_select([ | |
all200, | |
all201, | |
all202, | |
all203, | |
all204, | |
msg800, | |
]); | |
var msg801 = match({ | |
id: "MESSAGE#654:419002", | |
dissect: { | |
tokenizer: "%{action->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} with different initial sequence number", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("419002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg802 = match({ | |
id: "MESSAGE#909:713149", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, Hardware client security attribute %{change_attribute->} was enabled but not requested", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713149"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Hardware client security attribute was enabled but not requested"), | |
}), | |
]), | |
}); | |
var msg803 = match({ | |
id: "MESSAGE#1156:722006", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> Invalid address \u003c\u003c%{daddr->}> assigned to SVC connection", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722006"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid address assigned to SVC connection"), | |
}), | |
]), | |
}); | |
var msg804 = match({ | |
id: "MESSAGE#1213:733103", | |
dissect: { | |
tokenizer: "Threat-detection removes host %{hostip->} from shun list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup94, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("733103"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg805 = match({ | |
id: "MESSAGE#1261:746018", | |
dissect: { | |
tokenizer: "%{application->}: Update import-user %{domain->}\\\\%{group->} done", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746018"), | |
}), | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Update import-user done"), | |
}), | |
]), | |
}); | |
var msg806 = match({ | |
id: "MESSAGE#144:109020/2", | |
dissect: { | |
tokenizer: "'%{listnum->}' has config error; ACE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg807 = match({ | |
id: "MESSAGE#144:109020/2", | |
dissect: { | |
tokenizer: "%{listnum->} has config error; ACE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select197 = linear_select([ | |
msg806, | |
msg807, | |
]); | |
var msg808 = match({ | |
id: "MESSAGE#144:109020/2", | |
dissect: { | |
tokenizer: ": '%{info->}' ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg809 = match({ | |
id: "MESSAGE#144:109020/2", | |
dissect: { | |
tokenizer: "%{space->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select198 = linear_select([ | |
msg808, | |
msg809, | |
]); | |
var all205 = all_match({ | |
processors: [ | |
dup96, | |
select197, | |
select198, | |
], | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109020"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Downloaded ACL has config error"), | |
}), | |
]), | |
}); | |
var msg810 = match({ | |
id: "MESSAGE#782:612003", | |
dissect: { | |
tokenizer: "Auto Update failed to contact:%{url->}, reason:%{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("612003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg811 = match({ | |
id: "MESSAGE#1272:752008", | |
dissect: { | |
tokenizer: "Duplicate entry already in Tunnel Manager%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752008"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Duplicate entry already in Tunnel Manager"), | |
}), | |
]), | |
}); | |
var msg812 = match({ | |
id: "MESSAGE#234:203001", | |
dissect: { | |
tokenizer: "%{info->} Error: No Key SPI %{fld1->} SRC %{saddr->} DEST %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("203001"), | |
}), | |
dup11, | |
dup12, | |
dup87, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No Key SPI"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg813 = match({ | |
id: "MESSAGE#493:338307", | |
dissect: { | |
tokenizer: "Failed to decrypt downloaded dynamic filter database file%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338307"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg814 = match({ | |
id: "MESSAGE#693:505004", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup351, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg815 = match({ | |
id: "MESSAGE#938:713225", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Static Crypto Map check, map %{fld1->}, seq = %{fld2->} is a successful match", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713225"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup8, | |
]), | |
}); | |
var msg816 = match({ | |
id: "MESSAGE#495:338309", | |
dissect: { | |
tokenizer: "The license on this ASA does not support dynamic filter updater feature.%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338309"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg817 = match({ | |
id: "MESSAGE#668:444102", | |
dissect: { | |
tokenizer: "%{result->}. License server is not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444102"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("License server is not responding"), | |
}), | |
]), | |
}); | |
var all206 = all_match({ | |
processors: [ | |
dup352, | |
dup353, | |
dup354, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg818 = match({ | |
id: "MESSAGE#1220:734004", | |
dissect: { | |
tokenizer: "DAP: Processing error: Code %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734004"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("DAP: Processing error"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg819 = match({ | |
id: "MESSAGE#339:302025", | |
dissect: { | |
tokenizer: "Teardown stub %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} forwarded bytes %{bytes->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302025"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup306, | |
]), | |
}); | |
var msg820 = match({ | |
id: "MESSAGE#601:408001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("408001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg821 = match({ | |
id: "MESSAGE#720:603101", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg822 = match({ | |
id: "MESSAGE#284:302006", | |
dissect: { | |
tokenizer: "Teardown UDP connection for faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302006"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
dup170, | |
]), | |
}); | |
var msg823 = match({ | |
id: "MESSAGE#285:302006:01", | |
dissect: { | |
tokenizer: "Teardown UDP connection %{fld1->} for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302006:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
dup170, | |
]), | |
}); | |
var select199 = linear_select([ | |
msg822, | |
msg823, | |
]); | |
var msg824 = match({ | |
id: "MESSAGE#553:401005/2", | |
dissect: { | |
tokenizer: "%{->}add failed: unable to allocate resources for %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg825 = match({ | |
id: "MESSAGE#553:401005/3", | |
dissect: { | |
tokenizer: "%{saddr->} %{daddr->} %{sport->} %{dport->} ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg826 = match({ | |
id: "MESSAGE#553:401005/3", | |
dissect: { | |
tokenizer: "%{hostip->} ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select200 = linear_select([ | |
msg825, | |
msg826, | |
]); | |
var all207 = all_match({ | |
processors: [ | |
dup162, | |
dup279, | |
msg824, | |
select200, | |
], | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401005"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Shun add failed"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg827 = match({ | |
id: "MESSAGE#565:402124", | |
dissect: { | |
tokenizer: "CRYPTO: The %{product->} encountered an error (%{info->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup355, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402124"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup356, | |
]), | |
}); | |
var msg828 = match({ | |
id: "MESSAGE#90:106022", | |
dissect: { | |
tokenizer: "Deny %{protocol->} connection spoof from %{saddr->} to %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106022"), | |
}), | |
dup99, | |
dup320, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg829 = match({ | |
id: "MESSAGE#179:113003/0", | |
dissect: { | |
tokenizer: "AAA group policy for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg830 = match({ | |
id: "MESSAGE#179:113003/2", | |
dissect: { | |
tokenizer: "'%{username->}' is being set to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg831 = match({ | |
id: "MESSAGE#179:113003/2", | |
dissect: { | |
tokenizer: "%{username->} is being set to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select201 = linear_select([ | |
msg830, | |
msg831, | |
]); | |
var msg832 = match({ | |
id: "MESSAGE#179:113003/2", | |
dissect: { | |
tokenizer: "%{policyname->}. ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg833 = match({ | |
id: "MESSAGE#179:113003/2", | |
dissect: { | |
tokenizer: "%{policyname->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select202 = linear_select([ | |
msg832, | |
msg833, | |
]); | |
var all208 = all_match({ | |
processors: [ | |
msg829, | |
select201, | |
select202, | |
], | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA group policy set for user"), | |
}), | |
]), | |
}); | |
var msg834 = match({ | |
id: "MESSAGE#221:201005", | |
dissect: { | |
tokenizer: "%{protocol->} data connection failed for %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("data connection failed"), | |
}), | |
]), | |
}); | |
var msg835 = match({ | |
id: "MESSAGE#240:209005", | |
dissect: { | |
tokenizer: "Discard IP fragment set with more than %{fld1->} elements: %{space->} src = %{saddr->}, dest = %{daddr->}, proto = %{protocol->}, id = %{policy_id->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("209005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Discarded IP fragment"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("number of elements exceeded"), | |
}), | |
]), | |
}); | |
var msg836 = match({ | |
id: "MESSAGE#10:120003/0", | |
dissect: { | |
tokenizer: "Call-Home is processing %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg837 = match({ | |
id: "MESSAGE#10:120003/2", | |
dissect: { | |
tokenizer: "configuration%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg838 = match({ | |
id: "MESSAGE#10:120003/2", | |
dissect: { | |
tokenizer: "inventory%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg839 = match({ | |
id: "MESSAGE#10:120003/2", | |
dissect: { | |
tokenizer: "snapshot%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select203 = linear_select([ | |
msg837, | |
msg838, | |
msg839, | |
]); | |
var msg840 = match({ | |
id: "MESSAGE#10:120003/2", | |
dissect: { | |
tokenizer: "%{->}event %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all209 = all_match({ | |
processors: [ | |
msg836, | |
select203, | |
msg840, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120003"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home is processing event"), | |
}), | |
]), | |
}); | |
var msg841 = match({ | |
id: "MESSAGE#543:400046", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400046"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg842 = match({ | |
id: "MESSAGE#579:403500", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403500"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg843 = match({ | |
id: "MESSAGE#444:321004", | |
dissect: { | |
tokenizer: "Resource %{fld1->} rate log level of %{fld2->} %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg844 = match({ | |
id: "MESSAGE#856:713025/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->}:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all210 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg844, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713025"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg845 = match({ | |
id: "MESSAGE#857:713025:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->}:%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713025:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select204 = linear_select([ | |
all210, | |
msg845, | |
]); | |
var msg846 = match({ | |
id: "MESSAGE#950:713257", | |
dissect: { | |
tokenizer: "Phase %{fld1->} failure: Mismatched attribute types for class %{process->}: Rcv'd: %{fld2->} Cfg'd: %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713257"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Mismatched attribute types for class"), | |
}), | |
]), | |
}); | |
var msg847 = match({ | |
id: "MESSAGE#1194:725008", | |
dissect: { | |
tokenizer: "SSL client %{interface->}:%{hostip->}/%{network_port->} proposes the following %{fld1->} cipher(s).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg848 = match({ | |
id: "MESSAGE#1195:725008:01", | |
dissect: { | |
tokenizer: "SSL client %{sinterface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->} proposes the following %{fld1->} cipher(s)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725008:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select205 = linear_select([ | |
msg847, | |
msg848, | |
]); | |
var msg849 = match({ | |
id: "MESSAGE#49:105040", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105040"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg850 = match({ | |
id: "MESSAGE#59:106002/2", | |
dissect: { | |
tokenizer: "onnection denied by %{direction->} list %{fld1->} src %{saddr->}/%{sport->} dest %{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all211 = all_match({ | |
processors: [ | |
dup357, | |
dup358, | |
msg850, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106002"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg851 = match({ | |
id: "MESSAGE#60:106002:01/2", | |
dissect: { | |
tokenizer: "onnection denied by %{direction->} list %{fld1->} src %{saddr->} %{sport->} dest %{daddr->} %{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all212 = all_match({ | |
processors: [ | |
dup357, | |
dup358, | |
msg851, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106002:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select206 = linear_select([ | |
all211, | |
all212, | |
]); | |
var msg852 = match({ | |
id: "MESSAGE#224:201008", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("New connections disallowed"), | |
}), | |
]), | |
}); | |
var msg853 = match({ | |
id: "MESSAGE#409:313004", | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype->}, from laddr %{saddr->} on interface %{interface->} to %{daddr->}: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup359, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313004"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup259, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied ICMP"), | |
}), | |
]), | |
}); | |
var msg854 = match({ | |
id: "MESSAGE#410:313004:01", | |
dissect: { | |
tokenizer: "Denied %{protocol->} type=%{icmptype->}, from %{saddr->} on interface %{interface->} to %{daddr->}:%{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup359, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313004:01"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied connection"), | |
}), | |
]), | |
}); | |
var select207 = linear_select([ | |
msg853, | |
msg854, | |
]); | |
var msg855 = match({ | |
id: "MESSAGE#32:105007", | |
dissect: { | |
tokenizer: "(%{context->}) Link status 'Down' on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Link status down"), | |
}), | |
]), | |
}); | |
var msg856 = match({ | |
id: "MESSAGE#1203:725014", | |
dissect: { | |
tokenizer: "SSL lib error. Function: %{info->} Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SSL lib error"), | |
}), | |
]), | |
}); | |
var msg857 = match({ | |
id: "MESSAGE#1296:201012", | |
dissect: { | |
tokenizer: "Per-client embryonic connection limit exceeded %{fld1->} for input packet from %{saddr->}/%{sport->} to %{dhost->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Per-client embryonic connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg858 = match({ | |
id: "MESSAGE#6:103001", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->} (reason code = %{resultcode->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup326, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg859 = match({ | |
id: "MESSAGE#76:106012/0", | |
dissect: { | |
tokenizer: "Deny IP from %{saddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg860 = match({ | |
id: "MESSAGE#76:106012/2", | |
dissect: { | |
tokenizer: "from%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg861 = match({ | |
id: "MESSAGE#76:106012/2", | |
dissect: { | |
tokenizer: "to%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select208 = linear_select([ | |
msg860, | |
msg861, | |
]); | |
var msg862 = match({ | |
id: "MESSAGE#76:106012/2", | |
dissect: { | |
tokenizer: "%{->} %{daddr->}, IP options %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all213 = all_match({ | |
processors: [ | |
msg859, | |
select208, | |
msg862, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106012"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP connection denied"), | |
}), | |
]), | |
}); | |
var msg863 = match({ | |
id: "MESSAGE#1251:737032/2", | |
dissect: { | |
tokenizer: "Unable to remove %{saddr->} from standby: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all214 = all_match({ | |
processors: [ | |
dup53, | |
dup54, | |
msg863, | |
], | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737032"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to remove device from standby"), | |
}), | |
]), | |
}); | |
var msg864 = match({ | |
id: "MESSAGE#442:321002", | |
dissect: { | |
tokenizer: "Resource %{fld1->} rate limit of %{fld2->} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg865 = match({ | |
id: "MESSAGE#814:702206:01/2", | |
dissect: { | |
tokenizer: "%{->}payload received (local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all215 = all_match({ | |
processors: [ | |
dup360, | |
dup129, | |
msg865, | |
], | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702206:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup361, | |
]), | |
}); | |
var msg866 = match({ | |
id: "MESSAGE#815:702206/2", | |
dissect: { | |
tokenizer: "%{->}payload received (local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all216 = all_match({ | |
processors: [ | |
dup360, | |
dup129, | |
msg866, | |
], | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702206"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup361, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select209 = linear_select([ | |
all215, | |
all216, | |
]); | |
var msg867 = match({ | |
id: "MESSAGE#980:714002", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714002"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg868 = match({ | |
id: "MESSAGE#981:714002:01", | |
dissect: { | |
tokenizer: "IKE Initiator starting QM: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714002:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator starting QM"), | |
}), | |
]), | |
}); | |
var select210 = linear_select([ | |
msg867, | |
msg868, | |
]); | |
var msg869 = match({ | |
id: "MESSAGE#459:324006", | |
dissect: { | |
tokenizer: "GSN ip_addr tunnel limit %{fld1->} exceeded, PDP Context TID %{fld2->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg870 = match({ | |
id: "MESSAGE#1212:733102", | |
dissect: { | |
tokenizer: "Threat-detection adds host %{hostip->} to shun list", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup94, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("733102"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg871 = match({ | |
id: "MESSAGE#68:106010", | |
dissect: { | |
tokenizer: "Deny %{direction->} protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106010"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg872 = match({ | |
id: "MESSAGE#69:106010:01", | |
dissect: { | |
tokenizer: "Deny %{direction->} icmp src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106010:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
dup111, | |
]), | |
}); | |
var msg873 = match({ | |
id: "MESSAGE#70:106010:02", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106010:02"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg874 = match({ | |
id: "MESSAGE#71:106010:03", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106010:03"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select211 = linear_select([ | |
msg871, | |
msg872, | |
msg873, | |
msg874, | |
]); | |
var msg875 = match({ | |
id: "MESSAGE#1049:716007/1", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> WebVPN Unable to create session", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg876 = match({ | |
id: "MESSAGE#1049:716007/1", | |
dissect: { | |
tokenizer: "'%{username->}' WebVPN Unable to create session", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg877 = match({ | |
id: "MESSAGE#1049:716007/1", | |
dissect: { | |
tokenizer: "%{username->} WebVPN Unable to create session", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select212 = linear_select([ | |
msg875, | |
msg876, | |
msg877, | |
]); | |
var all217 = all_match({ | |
processors: [ | |
dup77, | |
select212, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716007"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create session"), | |
}), | |
]), | |
}); | |
var msg878 = match({ | |
id: "MESSAGE#851:711004/0", | |
dissect: { | |
tokenizer: "%{event_description->} Process = %{process->}, PC = %{fld1->}, Call stack = %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select213 = linear_select([ | |
msg878, | |
dup141, | |
]); | |
var all218 = all_match({ | |
processors: [ | |
select213, | |
], | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("711004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg879 = match({ | |
id: "MESSAGE#983:714004", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->}: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714004"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg880 = match({ | |
id: "MESSAGE#984:714004:01", | |
dissect: { | |
tokenizer: "IKE Initiator sending 1st QM pkt: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714004:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator sending 1st QM pkt"), | |
}), | |
]), | |
}); | |
var select214 = linear_select([ | |
msg879, | |
msg880, | |
]); | |
var msg881 = match({ | |
id: "MESSAGE#1094:718028", | |
dissect: { | |
tokenizer: "Send OOS indicator failure to [%{daddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718028"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Send OOS indicator failure"), | |
}), | |
]), | |
}); | |
var msg882 = match({ | |
id: "MESSAGE#201:199001:01/2", | |
dissect: { | |
tokenizer: "PIX r%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg883 = match({ | |
id: "MESSAGE#201:199001:01/2", | |
dissect: { | |
tokenizer: "R%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select215 = linear_select([ | |
msg882, | |
msg883, | |
]); | |
var msg884 = match({ | |
id: "MESSAGE#201:199001:01/2", | |
dissect: { | |
tokenizer: "eload command executed from %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg885 = match({ | |
id: "MESSAGE#201:199001:01/3", | |
dissect: { | |
tokenizer: "%{process->} (remote %{hostip->}). ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg886 = match({ | |
id: "MESSAGE#201:199001:01/3", | |
dissect: { | |
tokenizer: "%{hostip->}. ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select216 = linear_select([ | |
msg885, | |
msg886, | |
]); | |
var all219 = all_match({ | |
processors: [ | |
dup44, | |
select215, | |
msg884, | |
select216, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Reload command executed"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg887 = match({ | |
id: "MESSAGE#202:199001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select217 = linear_select([ | |
all219, | |
msg887, | |
]); | |
var msg888 = match({ | |
id: "MESSAGE#590:405101/2", | |
dissect: { | |
tokenizer: "allocate %{service->} Call Signalling Connection for f%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all220 = all_match({ | |
processors: [ | |
dup118, | |
dup115, | |
msg888, | |
dup119, | |
dup120, | |
dup121, | |
dup122, | |
dup123, | |
dup124, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405101"), | |
}), | |
dup2, | |
dup3, | |
dup125, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg889 = match({ | |
id: "MESSAGE#666:444100", | |
dissect: { | |
tokenizer: "Shared license register request failed, Reason:%{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444100"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license register request failed"), | |
}), | |
]), | |
}); | |
var msg890 = match({ | |
id: "MESSAGE#770:611314", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611314"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all221 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
dup158, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722030"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup159, | |
]), | |
}); | |
var msg891 = match({ | |
id: "MESSAGE#1314:199016", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{fld6->}: [%{fld7->}] %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup264, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199016"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg892 = match({ | |
id: "MESSAGE#56:105047/1", | |
dissect: { | |
tokenizer: "Mate%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg893 = match({ | |
id: "MESSAGE#56:105047/1", | |
dissect: { | |
tokenizer: "%{info->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select218 = linear_select([ | |
msg892, | |
msg893, | |
]); | |
var msg894 = match({ | |
id: "MESSAGE#56:105047/2", | |
dissect: { | |
tokenizer: "Matehas a %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg895 = match({ | |
id: "MESSAGE#56:105047/2", | |
dissect: { | |
tokenizer: "%{space->}has a %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select219 = linear_select([ | |
msg894, | |
msg895, | |
]); | |
var msg896 = match({ | |
id: "MESSAGE#56:105047/2", | |
dissect: { | |
tokenizer: "%{fld1->} card in slot %{fld2->} which is different from my %{fld3->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all222 = all_match({ | |
processors: [ | |
select218, | |
select219, | |
msg896, | |
], | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105047"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate card is different"), | |
}), | |
]), | |
}); | |
var msg897 = match({ | |
id: "MESSAGE#173:111009/2", | |
dissect: { | |
tokenizer: "'%{username->}' executed cmd:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg898 = match({ | |
id: "MESSAGE#173:111009/2", | |
dissect: { | |
tokenizer: "%{username->} executed cmd:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select220 = linear_select([ | |
msg897, | |
msg898, | |
]); | |
var all223 = all_match({ | |
processors: [ | |
dup262, | |
select220, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup263, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup362, | |
]), | |
}); | |
var msg899 = match({ | |
id: "MESSAGE#206:199005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup272, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg900 = match({ | |
id: "MESSAGE#451:323003", | |
dissect: { | |
tokenizer: "Module in slot %{fld1->} is not able to reload, reload request not answered.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("323003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg901 = match({ | |
id: "MESSAGE#423:317001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("317001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg902 = match({ | |
id: "MESSAGE#776:611320", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup59, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611320"), | |
}), | |
dup7, | |
dup60, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg903 = match({ | |
id: "MESSAGE#778:611322", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611322"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg904 = match({ | |
id: "MESSAGE#883:713107", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, IP address request attempt failed!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713107"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP address request attempt failed"), | |
}), | |
]), | |
}); | |
var msg905 = match({ | |
id: "MESSAGE#34:105009", | |
dissect: { | |
tokenizer: "(%{context->}) Testing on interface %{interface->} %{disposition->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup363, | |
]), | |
}); | |
var msg906 = match({ | |
id: "MESSAGE#135:109014", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg907 = match({ | |
id: "MESSAGE#165:111001", | |
dissect: { | |
tokenizer: "Begin configuration: %{hostip->} writing to %{device->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111001"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Begin configuration writing to device"), | |
}), | |
]), | |
}); | |
var msg908 = match({ | |
id: "MESSAGE#275:302002", | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid->} faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} (%{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302002"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
dup364, | |
]), | |
}); | |
var msg909 = match({ | |
id: "MESSAGE#276:302002:01", | |
dissect: { | |
tokenizer: "Teardown TCP connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302002:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
dup364, | |
]), | |
}); | |
var select221 = linear_select([ | |
msg908, | |
msg909, | |
]); | |
var msg910 = match({ | |
id: "MESSAGE#470:337009", | |
dissect: { | |
tokenizer: "Phone Proxy: Unable to create secure phone entry for %{sinterface->}:%{saddr->} with MAC address %{smacaddr->}, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("337009"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create secure phone entry for endpoint"), | |
}), | |
]), | |
}); | |
var msg911 = match({ | |
id: "MESSAGE#581:403502", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403502"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg912 = match({ | |
id: "MESSAGE#584:403505", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403505"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg913 = match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} for peer %{peer->}. Reason: %{result->} %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all224 = all_match({ | |
processors: [ | |
dup9, | |
dup365, | |
msg913, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713050"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg914 = match({ | |
id: "MESSAGE#1067:717006", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg915 = match({ | |
id: "MESSAGE#490:338304", | |
dissect: { | |
tokenizer: "Successfully downloaded dynamic filter data file from updater server %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338304"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg916 = match({ | |
id: "MESSAGE#551:401003/0", | |
dissect: { | |
tokenizer: "Shun delete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg917 = match({ | |
id: "MESSAGE#551:401003/2", | |
dissect: { | |
tokenizer: ": %{hostip->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all225 = all_match({ | |
processors: [ | |
msg916, | |
dup89, | |
msg917, | |
], | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401003"), | |
}), | |
dup108, | |
dup38, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shun deleted"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg918 = match({ | |
id: "MESSAGE#850:711002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("711002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all226 = all_match({ | |
processors: [ | |
dup44, | |
dup80, | |
dup243, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715064"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all227 = all_match({ | |
processors: [ | |
dup9, | |
dup242, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715027"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg919 = match({ | |
id: "MESSAGE#345:303002/2", | |
dissect: { | |
tokenizer: "%{daddr->} %{action->} %{saddr->}:%{url->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all228 = all_match({ | |
processors: [ | |
dup44, | |
dup66, | |
msg919, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303002"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var msg920 = match({ | |
id: "MESSAGE#346:303002:02/0", | |
dissect: { | |
tokenizer: "FTP connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select222 = linear_select([ | |
dup366, | |
dup367, | |
]); | |
var msg921 = match({ | |
id: "MESSAGE#346:303002:02/2", | |
dissect: { | |
tokenizer: "%{action->} file %{filename->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all229 = all_match({ | |
processors: [ | |
msg920, | |
select222, | |
msg921, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303002:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg922 = match({ | |
id: "MESSAGE#347:303002:01", | |
dissect: { | |
tokenizer: "%{daddr->} %{action->} %{saddr->}:%{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303002:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var select223 = linear_select([ | |
all228, | |
all229, | |
msg922, | |
]); | |
var msg923 = match({ | |
id: "MESSAGE#466:332004", | |
dissect: { | |
tokenizer: "Web Cache %{saddr->}/%{shost->} lost", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("332004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup112, | |
]), | |
}); | |
var msg924 = match({ | |
id: "MESSAGE#721:603102", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} - user: %{username->} aaa authentication started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603102"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg925 = match({ | |
id: "MESSAGE#988:714007", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKE Initiator sending Initial Contact", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714007"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sending initial contact"), | |
}), | |
]), | |
}); | |
var msg926 = match({ | |
id: "MESSAGE#489:338303/0", | |
dissect: { | |
tokenizer: "Address %{hostip->} (%{web_domain->}) timed out%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select224 = linear_select([ | |
dup298, | |
dup368, | |
]); | |
var msg927 = match({ | |
id: "MESSAGE#489:338303/2", | |
dissect: { | |
tokenizer: "%{->}Removing rule", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all230 = all_match({ | |
processors: [ | |
msg926, | |
select224, | |
msg927, | |
], | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338303"), | |
}), | |
dup108, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg928 = match({ | |
id: "MESSAGE#803:701002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("701002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg929 = match({ | |
id: "MESSAGE#24:104003", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg930 = match({ | |
id: "MESSAGE#183:113006/2", | |
dissect: { | |
tokenizer: "'%{username->}' locked out on %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg931 = match({ | |
id: "MESSAGE#183:113006/2", | |
dissect: { | |
tokenizer: "%{username->} locked out on %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select225 = linear_select([ | |
msg930, | |
msg931, | |
]); | |
var all231 = all_match({ | |
processors: [ | |
dup262, | |
select225, | |
dup173, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113006"), | |
}), | |
dup17, | |
set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Lockout"), | |
}), | |
dup18, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User locked out"), | |
}), | |
]), | |
}); | |
var msg932 = match({ | |
id: "MESSAGE#331:302021/0", | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) gaddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all232 = all_match({ | |
processors: [ | |
msg932, | |
dup369, | |
dup370, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup149, | |
dup259, | |
]), | |
}); | |
var msg933 = match({ | |
id: "MESSAGE#332:302021:02/0", | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr->}/%{sport->}(%{fld20->}) gaddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg934 = match({ | |
id: "MESSAGE#332:302021:02/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{username->}) type %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg935 = match({ | |
id: "MESSAGE#332:302021:02/3", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} type %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select226 = linear_select([ | |
msg934, | |
msg935, | |
]); | |
var msg936 = match({ | |
id: "MESSAGE#332:302021:02/3", | |
dissect: { | |
tokenizer: "%{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all233 = all_match({ | |
processors: [ | |
msg933, | |
dup369, | |
select226, | |
msg936, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup149, | |
dup259, | |
]), | |
}); | |
var msg937 = match({ | |
id: "MESSAGE#333:302021:01/0", | |
dissect: { | |
tokenizer: "Teardown ICMP connection for faddr %{saddr->}/%{sport->} gaddr %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all234 = all_match({ | |
processors: [ | |
msg937, | |
dup369, | |
dup370, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302021:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup149, | |
dup259, | |
]), | |
}); | |
var select227 = linear_select([ | |
all232, | |
all233, | |
all234, | |
]); | |
var msg938 = match({ | |
id: "MESSAGE#463:326001", | |
dissect: { | |
tokenizer: "Unexpected error in the timer library: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("326001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg939 = match({ | |
id: "MESSAGE#1122:720026", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720026"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg940 = match({ | |
id: "MESSAGE#48:105039", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105039"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg941 = match({ | |
id: "MESSAGE#86:106018", | |
dissect: { | |
tokenizer: "%{protocol->} packet type %{fld1->} denied by %{direction->} list %{fld2->} src %{saddr->} dest %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106018"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup371, | |
]), | |
}); | |
var msg942 = match({ | |
id: "MESSAGE#540:400043", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400043"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg943 = match({ | |
id: "MESSAGE#694:505005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup272, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg944 = match({ | |
id: "MESSAGE#1077:717027", | |
dissect: { | |
tokenizer: "Certificate chain failed validation. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717027"), | |
}), | |
dup293, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Certificate chain failed validated"), | |
}), | |
]), | |
}); | |
var msg945 = match({ | |
id: "MESSAGE#1157:722010/0", | |
dissect: { | |
tokenizer: "Group %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg946 = match({ | |
id: "MESSAGE#1157:722010/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{group->}> User %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg947 = match({ | |
id: "MESSAGE#1157:722010/2", | |
dissect: { | |
tokenizer: "%{group->} User %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select228 = linear_select([ | |
msg946, | |
msg947, | |
]); | |
var msg948 = match({ | |
id: "MESSAGE#1157:722010/3", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg949 = match({ | |
id: "MESSAGE#1157:722010/3", | |
dissect: { | |
tokenizer: "%{username->} IP %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select229 = linear_select([ | |
msg948, | |
msg949, | |
]); | |
var msg950 = match({ | |
id: "MESSAGE#1157:722010/4", | |
dissect: { | |
tokenizer: "\u003c\u003c%{saddr->}> SVC Message: %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg951 = match({ | |
id: "MESSAGE#1157:722010/4", | |
dissect: { | |
tokenizer: "%{saddr->} SVC Message: %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select230 = linear_select([ | |
msg950, | |
msg951, | |
]); | |
var msg952 = match({ | |
id: "MESSAGE#1157:722010/4", | |
dissect: { | |
tokenizer: "%{info->}/%{result->}: %{event_description->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all235 = all_match({ | |
processors: [ | |
msg945, | |
select228, | |
select229, | |
select230, | |
msg952, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722010"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg953 = match({ | |
id: "MESSAGE#247:210008", | |
dissect: { | |
tokenizer: "LU no xlate for %{saddr->}/%{sport->} %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg954 = match({ | |
id: "MESSAGE#399:309002", | |
dissect: { | |
tokenizer: "Permitted manager connection from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("309002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permitted manager connection"), | |
}), | |
]), | |
}); | |
var msg955 = match({ | |
id: "MESSAGE#853:713016", | |
dissect: { | |
tokenizer: "Group = %{host->}, IP = %{daddr->}, Unknown identification type, Phase %{fld1->}, Type %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603060000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713016"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all236 = all_match({ | |
processors: [ | |
dup305, | |
dup304, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715047:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all237 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715047"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select231 = linear_select([ | |
all236, | |
all237, | |
]); | |
var msg956 = match({ | |
id: "MESSAGE#906:713143", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713143"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg957 = match({ | |
id: "MESSAGE#1103:718056", | |
dissect: { | |
tokenizer: "Deleted Master peer, IP %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718056"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted Master peer"), | |
}), | |
]), | |
}); | |
var msg958 = match({ | |
id: "MESSAGE#1177:722050", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> Session terminated: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722050"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup372, | |
]), | |
}); | |
var msg959 = match({ | |
id: "MESSAGE#1264:750002", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} Received a IKE_INIT_SA request", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received a IKE_INIT_SA request"), | |
}), | |
]), | |
}); | |
var msg960 = match({ | |
id: "MESSAGE#5:102001", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("102001"), | |
}), | |
dup38, | |
dup39, | |
dup13, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg961 = match({ | |
id: "MESSAGE#133:109012/0", | |
dissect: { | |
tokenizer: "Authen Session End: user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg962 = match({ | |
id: "MESSAGE#133:109012/2", | |
dissect: { | |
tokenizer: "%{sessionid->}, elapsed %{duration->} seconds", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all238 = all_match({ | |
processors: [ | |
msg961, | |
dup373, | |
msg962, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authen Session End"), | |
}), | |
]), | |
}); | |
var msg963 = match({ | |
id: "MESSAGE#438:319004", | |
dissect: { | |
tokenizer: "Route update for IP address %{daddr->} to %{fld1->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("319004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("route update failure"), | |
}), | |
]), | |
}); | |
var msg964 = match({ | |
id: "MESSAGE#526:400029", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400029"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all239 = all_match({ | |
processors: [ | |
dup374, | |
dup89, | |
dup288, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702210:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup289, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all240 = all_match({ | |
processors: [ | |
dup374, | |
dup89, | |
dup290, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702210"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup289, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select232 = linear_select([ | |
all239, | |
all240, | |
]); | |
var msg965 = match({ | |
id: "MESSAGE#26:105001", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105001"), | |
}), | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg966 = match({ | |
id: "MESSAGE#40:105032", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105032"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg967 = match({ | |
id: "MESSAGE#50:105041", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup195, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105041"), | |
}), | |
dup2, | |
dup3, | |
dup167, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg968 = match({ | |
id: "MESSAGE#129:109008/0", | |
dissect: { | |
tokenizer: "Authorization denied for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all241 = all_match({ | |
processors: [ | |
msg968, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup98, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109008"), | |
}), | |
dup17, | |
dup99, | |
dup65, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authorization failure"), | |
}), | |
]), | |
}); | |
var msg969 = match({ | |
id: "MESSAGE#198:113022", | |
dissect: { | |
tokenizer: "AAA Marking %{protocol->} server %{hostip->} in aaa-server group %{fld1->} as FAILED", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113022"), | |
}), | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Service"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA marking Server as FAILED"), | |
}), | |
]), | |
}); | |
var msg970 = match({ | |
id: "MESSAGE#244:210005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg971 = match({ | |
id: "MESSAGE#929:713213/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} ,%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg972 = match({ | |
id: "MESSAGE#929:713213/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} ,%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select233 = linear_select([ | |
msg971, | |
msg972, | |
]); | |
var all242 = all_match({ | |
processors: [ | |
dup44, | |
select233, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713213"), | |
}), | |
dup7, | |
dup108, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleting static router for peer"), | |
}), | |
]), | |
}); | |
var all243 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup97, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715028"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg973 = match({ | |
id: "MESSAGE#762:611306", | |
dissect: { | |
tokenizer: "VPNClient: Perfect Forward Secrecy Policy installed%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611306"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup269, | |
]), | |
}); | |
var msg974 = match({ | |
id: "MESSAGE#769:611313", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611313"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg975 = match({ | |
id: "MESSAGE#1238:737013", | |
dissect: { | |
tokenizer: "%{process->}: Error freeing address %{saddr->}, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737013"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Error freeing address"), | |
}), | |
]), | |
}); | |
var msg976 = match({ | |
id: "MESSAGE#175:111111", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111111"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg977 = match({ | |
id: "MESSAGE#246:210007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg978 = match({ | |
id: "MESSAGE#603:409001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg979 = match({ | |
id: "MESSAGE#611:409009", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg980 = match({ | |
id: "MESSAGE#136:109015/0", | |
dissect: { | |
tokenizer: "Authorization denied (acl=\"%{listnum->}\") for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all244 = all_match({ | |
processors: [ | |
msg980, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015"), | |
}), | |
dup17, | |
dup99, | |
dup18, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup191, | |
]), | |
}); | |
var msg981 = match({ | |
id: "MESSAGE#137:109015:01/0", | |
dissect: { | |
tokenizer: "Authorization denied (acl=#%{listnum->}#%{group->}) for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all245 = all_match({ | |
processors: [ | |
msg981, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015:01"), | |
}), | |
dup17, | |
dup99, | |
dup18, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup191, | |
]), | |
}); | |
var all246 = all_match({ | |
processors: [ | |
dup179, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109015:02"), | |
}), | |
dup17, | |
dup99, | |
dup18, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup191, | |
]), | |
}); | |
var select234 = linear_select([ | |
all244, | |
all245, | |
all246, | |
]); | |
var msg982 = match({ | |
id: "MESSAGE#521:400024", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400024"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg983 = match({ | |
id: "MESSAGE#617:410001/2", | |
dissect: { | |
tokenizer: "%{->}from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}; %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg984 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "domain-name%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg985 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "compression pointer%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select235 = linear_select([ | |
dup379, | |
dup380, | |
msg984, | |
msg985, | |
]); | |
var msg986 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "%{->}length %{bytes->} bytes exceeds %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg987 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "remaining packet length%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg988 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "%{->}configured%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg989 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "%{->}protocol%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg990 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "%{->}packet length%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select236 = linear_select([ | |
msg987, | |
msg988, | |
msg989, | |
msg990, | |
]); | |
var all247 = all_match({ | |
processors: [ | |
dup377, | |
dup378, | |
msg983, | |
select235, | |
msg986, | |
select236, | |
dup381, | |
], | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup382, | |
]), | |
}); | |
var msg991 = match({ | |
id: "MESSAGE#618:410001:02/2", | |
dissect: { | |
tokenizer: "%{->}from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}; %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select237 = linear_select([ | |
dup379, | |
dup380, | |
]); | |
var msg992 = match({ | |
id: "MESSAGE#618:410001:02/4", | |
dissect: { | |
tokenizer: "%{->}length %{bytes->} bytes exceeds %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg993 = match({ | |
id: "MESSAGE#618:410001:02/6", | |
dissect: { | |
tokenizer: "configured%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg994 = match({ | |
id: "MESSAGE#618:410001:02/6", | |
dissect: { | |
tokenizer: "protocol%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select238 = linear_select([ | |
msg993, | |
msg994, | |
]); | |
var all248 = all_match({ | |
processors: [ | |
dup377, | |
dup378, | |
msg991, | |
select237, | |
msg992, | |
select238, | |
dup381, | |
], | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup382, | |
]), | |
}); | |
var msg995 = match({ | |
id: "MESSAGE#619:410001:03", | |
dissect: { | |
tokenizer: "Dropped UDP DNS reply from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}; compression pointer length %{bytes->} bytes exceeds packet length limit of %{fld2->} bytes", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropped DNS UDP reply packet - length exceeded"), | |
}), | |
]), | |
}); | |
var msg996 = match({ | |
id: "MESSAGE#620:410001:01/0", | |
dissect: { | |
tokenizer: "UDP DNS packet dropped due to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg997 = match({ | |
id: "MESSAGE#620:410001:01/2", | |
dissect: { | |
tokenizer: "compression%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg998 = match({ | |
id: "MESSAGE#620:410001:01/2", | |
dissect: { | |
tokenizer: "domainname%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg999 = match({ | |
id: "MESSAGE#620:410001:01/2", | |
dissect: { | |
tokenizer: "label%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1000 = match({ | |
id: "MESSAGE#620:410001:01/2", | |
dissect: { | |
tokenizer: "packet%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select239 = linear_select([ | |
msg997, | |
msg998, | |
msg999, | |
msg1000, | |
]); | |
var msg1001 = match({ | |
id: "MESSAGE#620:410001:01/2", | |
dissect: { | |
tokenizer: "%{->}length check of %{bytes->} bytes: actual length:%{fld11->} bytes", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all249 = all_match({ | |
processors: [ | |
msg996, | |
select239, | |
msg1001, | |
], | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("410001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup382, | |
]), | |
}); | |
var select240 = linear_select([ | |
all247, | |
all248, | |
msg995, | |
all249, | |
]); | |
var msg1002 = match({ | |
id: "MESSAGE#1099:718045", | |
dissect: { | |
tokenizer: "Created peer %{space->}[%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718045"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Created peer"), | |
}), | |
]), | |
}); | |
var msg1003 = match({ | |
id: "MESSAGE#1000:715020/2", | |
dissect: { | |
tokenizer: "%{saddr->}, construct_cfg_set: %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all250 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1003, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715020"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1004 = match({ | |
id: "MESSAGE#775:611319", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611319"), | |
}), | |
dup7, | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all251 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713131"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1005 = match({ | |
id: "MESSAGE#898:713131:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Received unknown transaction mode attribute: %{change_attribute->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713131:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received unknown transaction mode attribute"), | |
}), | |
]), | |
}); | |
var select241 = linear_select([ | |
all251, | |
msg1005, | |
]); | |
var msg1006 = match({ | |
id: "MESSAGE#229:202001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1007 = match({ | |
id: "MESSAGE#277:302003", | |
dissect: { | |
tokenizer: "Built H245 connection for faddr %{saddr->} laddr %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302003"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var msg1008 = match({ | |
id: "MESSAGE#1221:735003", | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1->}: OK", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735003"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply OK"), | |
}), | |
]), | |
}); | |
var msg1009 = match({ | |
id: "MESSAGE#1267:750007", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} SA DOWN. Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SA DOWN"), | |
}), | |
]), | |
}); | |
var msg1010 = match({ | |
id: "MESSAGE#171:111007/0", | |
dissect: { | |
tokenizer: "Begin configuration: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1011 = match({ | |
id: "MESSAGE#171:111007/2", | |
dissect: { | |
tokenizer: "Console reading from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1012 = match({ | |
id: "MESSAGE#171:111007/2", | |
dissect: { | |
tokenizer: "console reading from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1013 = match({ | |
id: "MESSAGE#171:111007/2", | |
dissect: { | |
tokenizer: "%{hostip->} reading from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select242 = linear_select([ | |
msg1011, | |
msg1012, | |
msg1013, | |
]); | |
var msg1014 = match({ | |
id: "MESSAGE#171:111007/2", | |
dissect: { | |
tokenizer: "%{device->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all252 = all_match({ | |
processors: [ | |
msg1010, | |
select242, | |
msg1014, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111007"), | |
}), | |
dup38, | |
dup327, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Begin configuration - reading from device"), | |
}), | |
]), | |
}); | |
var msg1015 = match({ | |
id: "MESSAGE#193:113016/0", | |
dissect: { | |
tokenizer: "%{action->} : reason = %{result->} : server = %{hostip->} : user = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all253 = all_match({ | |
processors: [ | |
msg1015, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113016"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1016 = match({ | |
id: "MESSAGE#462:325002", | |
dissect: { | |
tokenizer: "Duplicate address %{hostip_v6->}/%{macaddr->} on %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("325002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1017 = match({ | |
id: "MESSAGE#556:402103/0", | |
dissect: { | |
tokenizer: "identity doesn't match negotiated identity %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1018 = match({ | |
id: "MESSAGE#556:402103/2", | |
dissect: { | |
tokenizer: "ip%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1019 = match({ | |
id: "MESSAGE#556:402103/2", | |
dissect: { | |
tokenizer: "(ip)%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select243 = linear_select([ | |
msg1018, | |
msg1019, | |
]); | |
var msg1020 = match({ | |
id: "MESSAGE#556:402103/2", | |
dissect: { | |
tokenizer: "%{->}dest_addr=%{daddr->}, src_addr=%{saddr->}, prot= %{protocol->}, (ident) %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all254 = all_match({ | |
processors: [ | |
msg1017, | |
select243, | |
msg1020, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402103"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("identity doesn't match"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1021 = match({ | |
id: "MESSAGE#185:113009/2", | |
dissect: { | |
tokenizer: "(%{policyname->}) for user %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1022 = match({ | |
id: "MESSAGE#185:113009/2", | |
dissect: { | |
tokenizer: "%{policyname->} for user %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select244 = linear_select([ | |
msg1021, | |
msg1022, | |
]); | |
var msg1023 = match({ | |
id: "MESSAGE#185:113009/3", | |
dissect: { | |
tokenizer: "= %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all255 = all_match({ | |
processors: [ | |
dup383, | |
select244, | |
dup254, | |
msg1023, | |
dup384, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113009"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup385, | |
]), | |
}); | |
var msg1024 = match({ | |
id: "MESSAGE#186:113009:01/2", | |
dissect: { | |
tokenizer: "(%{policyname->}) for %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1025 = match({ | |
id: "MESSAGE#186:113009:01/2", | |
dissect: { | |
tokenizer: "%{policyname->} for %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select245 = linear_select([ | |
msg1024, | |
msg1025, | |
]); | |
var msg1026 = match({ | |
id: "MESSAGE#186:113009:01/2", | |
dissect: { | |
tokenizer: "%{daddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all256 = all_match({ | |
processors: [ | |
dup383, | |
select245, | |
msg1026, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113009:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup385, | |
]), | |
}); | |
var select246 = linear_select([ | |
all255, | |
all256, | |
]); | |
var msg1027 = match({ | |
id: "MESSAGE#558:402114", | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet %{space->} (%{result->}) from %{saddr->} to %{daddr->} with an invalid SPI", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402114"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an ESP packet with an invalid SPI"), | |
}), | |
]), | |
}); | |
var msg1028 = match({ | |
id: "MESSAGE#692:505003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1029 = match({ | |
id: "MESSAGE#878:713075/2", | |
dissect: { | |
tokenizer: "%{saddr->} , %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1030 = match({ | |
id: "MESSAGE#878:713075/3", | |
dissect: { | |
tokenizer: "%{event_description->} duration from %{fld1->} to %{fld2->} seconds", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select247 = linear_select([ | |
msg1030, | |
dup386, | |
]); | |
var all257 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1029, | |
select247, | |
], | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713075"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1031 = match({ | |
id: "MESSAGE#879:713075:01/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} ,%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1032 = match({ | |
id: "MESSAGE#879:713075:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} from %{fld1->} to %{fld2->} seconds ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select248 = linear_select([ | |
msg1032, | |
dup304, | |
]); | |
var all258 = all_match({ | |
processors: [ | |
msg1031, | |
select248, | |
], | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713075:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select249 = linear_select([ | |
all257, | |
all258, | |
]); | |
var msg1033 = match({ | |
id: "MESSAGE#840:709007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709007"), | |
}), | |
dup38, | |
dup39, | |
dup19, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Configuration replication failure"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1034 = match({ | |
id: "MESSAGE#445:322001", | |
dissect: { | |
tokenizer: "Deny MAC address %{daddr->}, possible spoof attempt on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("322001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied mac address"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("possible spoof attempt"), | |
}), | |
]), | |
}); | |
var msg1035 = match({ | |
id: "MESSAGE#586:404101", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("404101"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1036 = match({ | |
id: "MESSAGE#621:411001/0", | |
dissect: { | |
tokenizer: "Line protocol on Interface %{interface->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1037 = match({ | |
id: "MESSAGE#621:411001/1", | |
dissect: { | |
tokenizer: ", %{result->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select250 = linear_select([ | |
msg1037, | |
dup285, | |
]); | |
var all259 = all_match({ | |
processors: [ | |
msg1036, | |
select250, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1038 = match({ | |
id: "MESSAGE#633:415002", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Instant Messenger detected - %{listnum->} %{protocol->} from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Instant Messenger detected"), | |
}), | |
]), | |
}); | |
var msg1039 = match({ | |
id: "MESSAGE#642:415009", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Header length exceeded. Received %{priority->} byte Header - %{listnum->} header length exceeded from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Header length exceeded"), | |
}), | |
]), | |
}); | |
var msg1040 = match({ | |
id: "MESSAGE#655:419003", | |
dissect: { | |
tokenizer: "Cleared TCP urgent flag from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("419003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Cleared TCP urgent flag"), | |
}), | |
]), | |
}); | |
var msg1041 = match({ | |
id: "MESSAGE#412:314001/2", | |
dissect: { | |
tokenizer: "-allocated%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1042 = match({ | |
id: "MESSAGE#412:314001/2", | |
dissect: { | |
tokenizer: "-allocate%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1043 = match({ | |
id: "MESSAGE#412:314001/2", | |
dissect: { | |
tokenizer: "allocate%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select251 = linear_select([ | |
msg1041, | |
msg1042, | |
msg1043, | |
]); | |
var msg1044 = match({ | |
id: "MESSAGE#412:314001/2", | |
dissect: { | |
tokenizer: "%{->}RTSP %{protocol->} backconnection for %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1045 = match({ | |
id: "MESSAGE#412:314001/4", | |
dissect: { | |
tokenizer: "faddr %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1046 = match({ | |
id: "MESSAGE#412:314001/4", | |
dissect: { | |
tokenizer: "foreign_address %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1047 = match({ | |
id: "MESSAGE#412:314001/4", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select252 = linear_select([ | |
msg1045, | |
msg1046, | |
msg1047, | |
]); | |
var msg1048 = match({ | |
id: "MESSAGE#412:314001/4", | |
dissect: { | |
tokenizer: "%{->} %{saddr->} %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1049 = match({ | |
id: "MESSAGE#412:314001/6", | |
dissect: { | |
tokenizer: "/%{sport->} to %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select253 = linear_select([ | |
msg1049, | |
]); | |
var msg1050 = match({ | |
id: "MESSAGE#412:314001/7", | |
dissect: { | |
tokenizer: "laddr %{p6->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1051 = match({ | |
id: "MESSAGE#412:314001/7", | |
dissect: { | |
tokenizer: "local_address %{p6->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1052 = match({ | |
id: "MESSAGE#412:314001/7", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{p6->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var select254 = linear_select([ | |
msg1050, | |
msg1051, | |
msg1052, | |
]); | |
var msg1053 = match({ | |
id: "MESSAGE#412:314001/7", | |
dissect: { | |
tokenizer: "%{daddr->}/ %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var msg1054 = match({ | |
id: "MESSAGE#412:314001/8", | |
dissect: { | |
tokenizer: "%{dport->}. ", | |
field: "nwparser.p7", | |
}, | |
}); | |
var msg1055 = match({ | |
id: "MESSAGE#412:314001/8", | |
dissect: { | |
tokenizer: "%{dport->} ", | |
field: "nwparser.p7", | |
}, | |
}); | |
var select255 = linear_select([ | |
msg1054, | |
msg1055, | |
]); | |
var all260 = all_match({ | |
processors: [ | |
dup114, | |
select251, | |
msg1044, | |
select252, | |
msg1048, | |
select253, | |
select254, | |
msg1053, | |
select255, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("314001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Pre-allocated connection"), | |
}), | |
]), | |
}); | |
var all261 = all_match({ | |
processors: [ | |
dup339, | |
dup387, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715036:01"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all262 = all_match({ | |
processors: [ | |
dup341, | |
dup387, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715036"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select256 = linear_select([ | |
all261, | |
all262, | |
]); | |
var msg1056 = match({ | |
id: "MESSAGE#1144:720068", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720068"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1057 = match({ | |
id: "MESSAGE#549:401001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("401001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1058 = match({ | |
id: "MESSAGE#577:403109", | |
dissect: { | |
tokenizer: "Rec'd packet not an PPTP packet. (%{service->}) dest_addr=%{daddr->}, src_addr=%{saddr->}, data: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403109"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid PPTP packet"), | |
}), | |
]), | |
}); | |
var select257 = linear_select([ | |
dup388, | |
dup389, | |
dup210, | |
]); | |
var all263 = all_match({ | |
processors: [ | |
dup44, | |
select257, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902"), | |
}), | |
dup7, | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1059 = match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} (P2 struct %{fld11->}, mess id %{fld12->})!", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all264 = all_match({ | |
processors: [ | |
dup44, | |
dup390, | |
msg1059, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902:02"), | |
}), | |
dup7, | |
dup38, | |
dup39, | |
dup87, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all265 = all_match({ | |
processors: [ | |
dup44, | |
dup390, | |
dup138, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713902:01"), | |
}), | |
dup7, | |
dup38, | |
dup39, | |
dup87, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select258 = linear_select([ | |
all263, | |
all264, | |
all265, | |
]); | |
var msg1060 = match({ | |
id: "MESSAGE#1276:752015", | |
dissect: { | |
tokenizer: "Tunnel Manager has failed to establish an L2L SA. %{result->}. %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752015"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel Manager has failed to establish an L2L SA"), | |
}), | |
]), | |
}); | |
var msg1061 = match({ | |
id: "MESSAGE#599:407002", | |
dissect: { | |
tokenizer: "Embryonic limit %{fld1->}/%{fld2->} for through connections exceeded. %{saddr->}/%{sport->} to %{daddr->} (%{fld3->})/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("407002"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup391, | |
dup392, | |
]), | |
}); | |
var msg1062 = match({ | |
id: "MESSAGE#600:407002:01", | |
dissect: { | |
tokenizer: "Embryonic limit for through connections exceeded %{fld1->}. %{saddr->}/%{sport->} to %{daddr->} (%{fld2->})/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("407002:01"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup391, | |
dup392, | |
]), | |
}); | |
var select259 = linear_select([ | |
msg1061, | |
msg1062, | |
]); | |
var msg1063 = match({ | |
id: "MESSAGE#832:703001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("703001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1064 = match({ | |
id: "MESSAGE#915:713169", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKE Received delete for rekeyed SA %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713169"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE received delete message from remote peer"), | |
}), | |
]), | |
}); | |
var msg1065 = match({ | |
id: "MESSAGE#935:713221", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713221"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup8, | |
]), | |
}); | |
var msg1066 = match({ | |
id: "MESSAGE#848:710007", | |
dissect: { | |
tokenizer: "NAT-T keepalive received from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710007"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT-T keepalive received"), | |
}), | |
]), | |
}); | |
var msg1067 = match({ | |
id: "MESSAGE#1040:715075", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->} of type %{fld1->} (seq number %{fld2->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715075"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1068 = match({ | |
id: "MESSAGE#1063:717002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613030000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717002"), | |
}), | |
dup11, | |
dup293, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1069 = match({ | |
id: "MESSAGE#888:713122", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Keep-alives configured %{fld1->} but peer does not support keep-alives (type = %{fld2->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713122"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1070 = match({ | |
id: "MESSAGE#1090:718016", | |
dissect: { | |
tokenizer: "Received HELLO response from [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718016"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received HELLO response"), | |
}), | |
]), | |
}); | |
var msg1071 = match({ | |
id: "MESSAGE#1170:722035/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->})> Received large packet %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1072 = match({ | |
id: "MESSAGE#1170:722035/3", | |
dissect: { | |
tokenizer: "%{saddr->}> Received large packet %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select260 = linear_select([ | |
msg1071, | |
msg1072, | |
]); | |
var msg1073 = match({ | |
id: "MESSAGE#1170:722035/3", | |
dissect: { | |
tokenizer: "%{bytes->} (%{info->}).", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all266 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select260, | |
msg1073, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722035"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("transmitting large packet"), | |
}), | |
]), | |
}); | |
var msg1074 = match({ | |
id: "MESSAGE#816:702207", | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{saddr->} (initiator), remote %{daddr->}, message-ID %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702207"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup393, | |
]), | |
}); | |
var msg1075 = match({ | |
id: "MESSAGE#817:702207:01", | |
dissect: { | |
tokenizer: "ISAKMP duplicate packet detected (local %{daddr->} (responder), remote %{saddr->}, message-ID %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702207:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup393, | |
]), | |
}); | |
var select261 = linear_select([ | |
msg1074, | |
msg1075, | |
]); | |
var msg1076 = match({ | |
id: "MESSAGE#868:713052/2", | |
dissect: { | |
tokenizer: "%{saddr->}, User (%{fld1->}) authenticated", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all267 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1076, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713052"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User authenticated"), | |
}), | |
]), | |
}); | |
var msg1077 = match({ | |
id: "MESSAGE#1033:715060", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{action->}. %{space->} Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715060"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1078 = match({ | |
id: "MESSAGE#11:120007", | |
dissect: { | |
tokenizer: "Call-Home %{info->} message to %{web_host->} delivered", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120007"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Call-Home message delivered"), | |
}), | |
]), | |
}); | |
var msg1079 = match({ | |
id: "MESSAGE#1228:737003:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, DHCP configured, no viable servers found for tunnel-group '%{info->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737003:01"), | |
}), | |
dup2, | |
dup3, | |
dup394, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1080 = match({ | |
id: "MESSAGE#1229:737003", | |
dissect: { | |
tokenizer: "%{process->}: DHCP configured, no viable servers found for tunnel-group '%{info->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737003"), | |
}), | |
dup2, | |
dup3, | |
dup394, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select262 = linear_select([ | |
msg1079, | |
msg1080, | |
]); | |
var msg1081 = match({ | |
id: "MESSAGE#1274:752012", | |
dissect: { | |
tokenizer: "IKEv1 was unsuccessful at setting up a tunnel. Map Tag = %{info->}. Map Sequence Number = %{dclass_counter1->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752012"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKEv1 was unsuccessful at setting up a tunnel"), | |
}), | |
]), | |
}); | |
var msg1082 = match({ | |
id: "MESSAGE#1275:752012:1", | |
dissect: { | |
tokenizer: "%{node->} was unsuccessful at setting up a tunnel. Map Tag = %{info->}. Map Sequence Number = %{dclass_counter1->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752012:1"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("unsuccessful at setting up a tunnel"), | |
}), | |
]), | |
}); | |
var select263 = linear_select([ | |
msg1081, | |
msg1082, | |
]); | |
var msg1083 = match({ | |
id: "MESSAGE#424:317002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("317002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1084 = match({ | |
id: "MESSAGE#487:338301/0", | |
dissect: { | |
tokenizer: "Intercepted DNS reply for %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1085 = match({ | |
id: "MESSAGE#487:338301/2", | |
dissect: { | |
tokenizer: "domain%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1086 = match({ | |
id: "MESSAGE#487:338301/2", | |
dissect: { | |
tokenizer: "name%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select264 = linear_select([ | |
msg1085, | |
msg1086, | |
]); | |
var msg1087 = match({ | |
id: "MESSAGE#487:338301/2", | |
dissect: { | |
tokenizer: "%{->} %{web_domain->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all268 = all_match({ | |
processors: [ | |
msg1084, | |
select264, | |
msg1087, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338301"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Intercepted DNS reply for name"), | |
}), | |
]), | |
}); | |
var msg1088 = match({ | |
id: "MESSAGE#670:444106", | |
dissect: { | |
tokenizer: "Shared license backup server %{hostip->} is not available", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444106"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license backup server not available"), | |
}), | |
]), | |
}); | |
var msg1089 = match({ | |
id: "MESSAGE#1133:720040", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720040"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1090 = match({ | |
id: "MESSAGE#1145:721001", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1091 = match({ | |
id: "MESSAGE#1210:733100", | |
dissect: { | |
tokenizer: "[%{obj_name->}] %{action->}. %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("733100"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("drop rate exceded for port"), | |
}), | |
]), | |
}); | |
var msg1092 = match({ | |
id: "MESSAGE#15:103003", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup302, | |
]), | |
}); | |
var msg1093 = match({ | |
id: "MESSAGE#630:414001", | |
dissect: { | |
tokenizer: "Failed to save logging buffer using file name %{filename->} to FTP server %{hostip->} on interface %{interface->}: [%{result->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("414001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1094 = match({ | |
id: "MESSAGE#645:415012", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Deobfuscation signature detected - %{listnum->} HTTP deobfuscation detected IPS evasion technique from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Deobfuscation signature detected"), | |
}), | |
]), | |
}); | |
var msg1095 = match({ | |
id: "MESSAGE#708:602103", | |
dissect: { | |
tokenizer: "%{product->}: Received an ICMP Destination Unreachable from %{saddr->} with %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602103"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup395, | |
]), | |
}); | |
var msg1096 = match({ | |
id: "MESSAGE#99:106100", | |
dissect: { | |
tokenizer: "access-list %{listnum->} denied %{protocol->} %{sinterface->}/%{saddr->}(%{sport->}) -> %{dinterface->}/%{daddr->}(%{dport->}) hit-cnt %{dclass_counter1->} %{fld6->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup396, | |
dup371, | |
]), | |
}); | |
var msg1097 = match({ | |
id: "MESSAGE#100:106100:01/2", | |
dissect: { | |
tokenizer: "ed %{protocol->} %{sinterface->}/%{saddr->}(%{sport->})(%{domain->}\\%{username->}) -> %{dinterface->}/%{daddr->}(%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select265 = linear_select([ | |
dup399, | |
dup400, | |
]); | |
var all269 = all_match({ | |
processors: [ | |
dup397, | |
dup398, | |
msg1097, | |
select265, | |
dup401, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup396, | |
dup402, | |
]), | |
}); | |
var msg1098 = match({ | |
id: "MESSAGE#101:106100:02/2", | |
dissect: { | |
tokenizer: "ed %{protocol->} %{sinterface->}/%{saddr->}(%{sport->})(%{fld5->}) -> %{dinterface->}/%{daddr->}(%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all270 = all_match({ | |
processors: [ | |
dup397, | |
dup398, | |
msg1098, | |
dup403, | |
dup401, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup396, | |
dup402, | |
]), | |
}); | |
var msg1099 = match({ | |
id: "MESSAGE#102:106100:03/2", | |
dissect: { | |
tokenizer: "ed %{protocol->} %{sinterface->}/%{saddr->}(%{sport->}) -> %{dinterface->}/%{daddr->}(%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all271 = all_match({ | |
processors: [ | |
dup397, | |
dup398, | |
msg1099, | |
dup403, | |
dup401, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106100:03"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup396, | |
dup402, | |
]), | |
}); | |
var select266 = linear_select([ | |
msg1096, | |
all269, | |
all270, | |
all271, | |
]); | |
var msg1100 = match({ | |
id: "MESSAGE#341:302027", | |
dissect: { | |
tokenizer: "Teardown stub %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} duration %{duration->} bytes %{bytes->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302027"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup306, | |
]), | |
}); | |
var msg1101 = match({ | |
id: "MESSAGE#457:324004", | |
dissect: { | |
tokenizer: "GTP packet with version %{status->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} is not supported", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("GTP version not supported"), | |
}), | |
]), | |
}); | |
var msg1102 = match({ | |
id: "MESSAGE#594:405105/0", | |
dissect: { | |
tokenizer: "%{service->} RAS message AdmissionConfirm received from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} without%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1103 = match({ | |
id: "MESSAGE#594:405105/2", | |
dissect: { | |
tokenizer: "%{->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select267 = linear_select([ | |
msg1103, | |
]); | |
var msg1104 = match({ | |
id: "MESSAGE#594:405105/2", | |
dissect: { | |
tokenizer: "an %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all272 = all_match({ | |
processors: [ | |
msg1102, | |
select267, | |
msg1104, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405105"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all273 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
dup158, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722031"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup159, | |
]), | |
}); | |
var msg1105 = match({ | |
id: "MESSAGE#608:409006", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all274 = all_match({ | |
processors: [ | |
dup404, | |
dup129, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702208:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup405, | |
]), | |
}); | |
var all275 = all_match({ | |
processors: [ | |
dup404, | |
dup129, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702208"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup405, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select268 = linear_select([ | |
all274, | |
all275, | |
]); | |
var msg1106 = match({ | |
id: "MESSAGE#934:713220", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, De-queuing KEY-ACQUIRE messages that were left pending", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713220"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("pending messages dequeued"), | |
}), | |
]), | |
}); | |
var msg1107 = match({ | |
id: "MESSAGE#1072:717016", | |
dissect: { | |
tokenizer: "%{action->} Issuer: %{dn->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717016"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1108 = match({ | |
id: "MESSAGE#677:500004", | |
dissect: { | |
tokenizer: "Invalid transport field for protocol=%{protocol->}, from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("500004"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid transport field"), | |
}), | |
]), | |
}); | |
var msg1109 = match({ | |
id: "MESSAGE#773:611317", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611317"), | |
}), | |
dup7, | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1110 = match({ | |
id: "MESSAGE#1316:199018", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{saddr->} AP:%{access_point->}: *%{event_time_string->}: %DOT11-6-ASSOC: Interface %{interface->}, Station %{macaddr->} REAP Associated KEY_MGMT[%{fld6->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1111 = match({ | |
id: "MESSAGE#1317:199018:01", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{saddr->} AP:%{access_point->}: *%{event_time_string->}: %DOT11-6-DISASSOC: Interface %{interface->}, Deauthenticating Station %{macaddr->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1112 = match({ | |
id: "MESSAGE#1318:199018:02", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{agent->}[%{process_id->}]: pam_unix(%{service->}): session opened for user %{username->} by (uid=%{uid->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018:02"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1113 = match({ | |
id: "MESSAGE#1319:199018:03", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{agent->}[%{process_id->}]: pam_unix(%{service->}): session closed for user %{username->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018:03"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1114 = match({ | |
id: "MESSAGE#1320:199018:04", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{agent->}[%{process_id->}]: (%{username->}) CMD (%{action->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup264, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018:04"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1115 = match({ | |
id: "MESSAGE#1321:199018:05", | |
dissect: { | |
tokenizer: "%{fld1->} %{fld2->} %{fld3->}:%{fld4->}:%{fld5->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup264, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199018:05"), | |
}), | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select269 = linear_select([ | |
msg1110, | |
msg1111, | |
msg1112, | |
msg1113, | |
msg1114, | |
msg1115, | |
]); | |
var msg1116 = match({ | |
id: "MESSAGE#53:105044", | |
dissect: { | |
tokenizer: "(%{context->}) Mate operational mode %{fld1->} is not compatible with my mode %{fld2->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105044"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate operational mode is not compatible"), | |
}), | |
]), | |
}); | |
var msg1117 = match({ | |
id: "MESSAGE#943:713232/2", | |
dissect: { | |
tokenizer: "%{event_description->}, %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all276 = all_match({ | |
processors: [ | |
dup79, | |
dup273, | |
msg1117, | |
], | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713232"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1118 = match({ | |
id: "MESSAGE#1076:717026", | |
dissect: { | |
tokenizer: "Name lookup failed for hostname %{hostname->} during PKI operation.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717026"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Name lookup failed during PKI operation."), | |
}), | |
]), | |
}); | |
var msg1119 = match({ | |
id: "MESSAGE#1207:730002", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> VLAN Mapping to VLAN \u003c\u003c%{instance->}> failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("730002"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("VLAN Mapping to VLAN failed"), | |
}), | |
]), | |
}); | |
var msg1120 = match({ | |
id: "MESSAGE#433:318006", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1121 = match({ | |
id: "MESSAGE#447:322003", | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp response received from host %{smacaddr->} on interface %{interface->}.%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("322003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1122 = match({ | |
id: "MESSAGE#471:338001/4", | |
dissect: { | |
tokenizer: "ed blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all277 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup213, | |
dup214, | |
msg1122, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1123 = match({ | |
id: "MESSAGE#515:400018", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400018"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1124 = match({ | |
id: "MESSAGE#517:400020", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400020"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1125 = match({ | |
id: "MESSAGE#1152:721018/2", | |
dissect: { | |
tokenizer: "%{saddr->} has been deleted.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all278 = all_match({ | |
processors: [ | |
dup189, | |
dup190, | |
msg1125, | |
], | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721018"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session deleted"), | |
}), | |
]), | |
}); | |
var msg1126 = match({ | |
id: "MESSAGE#358:304006", | |
dissect: { | |
tokenizer: "URL Server %{hostip->} not responding", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup406, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1127 = match({ | |
id: "MESSAGE#563:402120/2", | |
dissect: { | |
tokenizer: "%{daddr->} that failed authentication.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all279 = all_match({ | |
processors: [ | |
dup312, | |
dup313, | |
msg1127, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402120"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESP packet that failed authentication"), | |
}), | |
]), | |
}); | |
var msg1128 = match({ | |
id: "MESSAGE#582:403503", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403503"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1129 = match({ | |
id: "MESSAGE#985:714005/2", | |
dissect: { | |
tokenizer: "%{action->}: msg id = %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all280 = all_match({ | |
processors: [ | |
dup9, | |
dup242, | |
msg1129, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714005"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1130 = match({ | |
id: "MESSAGE#598:407001", | |
dissect: { | |
tokenizer: "Deny traffic for local-host %{interface->}:%{hostip->}, license limit of %{fld1->} exceeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup101, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("407001"), | |
}), | |
dup43, | |
dup99, | |
dup102, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied traffic"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("license limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1131 = match({ | |
id: "MESSAGE#716:602301", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602301"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all281 = all_match({ | |
processors: [ | |
dup31, | |
dup32, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602303"), | |
}), | |
dup7, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1132 = match({ | |
id: "MESSAGE#735:605003/0", | |
dissect: { | |
tokenizer: "%{service->} daemon: Login fail%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1133 = match({ | |
id: "MESSAGE#735:605003/2", | |
dissect: { | |
tokenizer: "%{->}from %{saddr->} for user %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1134 = match({ | |
id: "MESSAGE#735:605003/3", | |
dissect: { | |
tokenizer: "\"%{username->}\" ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select270 = linear_select([ | |
msg1134, | |
dup407, | |
dup408, | |
]); | |
var all282 = all_match({ | |
processors: [ | |
msg1132, | |
dup117, | |
msg1133, | |
select270, | |
], | |
on_success: processor_chain([ | |
dup171, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605003"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Login failed"), | |
}), | |
]), | |
}); | |
var msg1135 = match({ | |
id: "MESSAGE#697:505011/1", | |
dissect: { | |
tokenizer: "%{product->} Module in slot %{fld1->} data channel communication is UP%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1136 = match({ | |
id: "MESSAGE#697:505011/1", | |
dissect: { | |
tokenizer: "Module ips data channel communication is UP%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select271 = linear_select([ | |
msg1135, | |
msg1136, | |
]); | |
var all283 = all_match({ | |
processors: [ | |
select271, | |
dup254, | |
dup255, | |
], | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("data channel communication is UP"), | |
}), | |
]), | |
}); | |
var msg1137 = match({ | |
id: "MESSAGE#785:613003", | |
dissect: { | |
tokenizer: "%{hostip->} changed from area %{fld1->} to area %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("613003"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1138 = match({ | |
id: "MESSAGE#1117:720012", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720012"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1139 = match({ | |
id: "MESSAGE#758:611302", | |
dissect: { | |
tokenizer: "VPNClient: NAT exemption configured for Network Extension Mode with no split tunneling%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611302"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup286, | |
]), | |
}); | |
var msg1140 = match({ | |
id: "MESSAGE#926:713204/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1141 = match({ | |
id: "MESSAGE#926:713204/3", | |
dissect: { | |
tokenizer: "%{event_description->} for client address: %{fld1->} ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select272 = linear_select([ | |
msg1141, | |
dup386, | |
]); | |
var all284 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1140, | |
select272, | |
], | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713204"), | |
}), | |
dup7, | |
dup164, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1142 = match({ | |
id: "MESSAGE#216:201002/0", | |
dissect: { | |
tokenizer: "Too many connections on %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1143 = match({ | |
id: "MESSAGE#216:201002/2", | |
dissect: { | |
tokenizer: "%{->} %{hostip->}! %{fld1->} %{fld2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all285 = all_match({ | |
processors: [ | |
msg1142, | |
dup251, | |
msg1143, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1144 = match({ | |
id: "MESSAGE#217:201002:01/0", | |
dissect: { | |
tokenizer: "Too many %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1145 = match({ | |
id: "MESSAGE#217:201002:01/2", | |
dissect: { | |
tokenizer: "TCP%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1146 = match({ | |
id: "MESSAGE#217:201002:01/2", | |
dissect: { | |
tokenizer: "tcp%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select273 = linear_select([ | |
msg1145, | |
msg1146, | |
]); | |
var msg1147 = match({ | |
id: "MESSAGE#217:201002:01/2", | |
dissect: { | |
tokenizer: "%{->}connections on %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1148 = match({ | |
id: "MESSAGE#217:201002:01/4", | |
dissect: { | |
tokenizer: "static%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1149 = match({ | |
id: "MESSAGE#217:201002:01/4", | |
dissect: { | |
tokenizer: "xlate%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select274 = linear_select([ | |
msg1148, | |
msg1149, | |
]); | |
var msg1150 = match({ | |
id: "MESSAGE#217:201002:01/4", | |
dissect: { | |
tokenizer: "%{->} %{hostip->}! %{fld1->} %{fld2->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all286 = all_match({ | |
processors: [ | |
msg1144, | |
select273, | |
msg1147, | |
select274, | |
msg1150, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select275 = linear_select([ | |
all285, | |
all286, | |
]); | |
var msg1151 = match({ | |
id: "MESSAGE#218:201003", | |
dissect: { | |
tokenizer: "Embryonic limit exceeded %{sinterface->}/%{dinterface->} for %{saddr->}/%{sport->} to (%{hostip->}) %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup391, | |
]), | |
}); | |
var msg1152 = match({ | |
id: "MESSAGE#1240:737015/2", | |
dissect: { | |
tokenizer: "%{->}Freeing DHCP address %{hostip->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all287 = all_match({ | |
processors: [ | |
dup53, | |
dup265, | |
msg1152, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737015"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Freeing DHCP address"), | |
}), | |
]), | |
}); | |
var msg1153 = match({ | |
id: "MESSAGE#261:213002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("213002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1154 = match({ | |
id: "MESSAGE#355:304003", | |
dissect: { | |
tokenizer: "URL Server %{hostip->} timed out URL %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup406, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1155 = match({ | |
id: "MESSAGE#1105:718059", | |
dissect: { | |
tokenizer: "State machine function trace: state=%{category->}, event=%{obj_type->}, func=%{application->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718059"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("State machine function trace"), | |
}), | |
]), | |
}); | |
var msg1156 = match({ | |
id: "MESSAGE#223:201007", | |
dissect: { | |
tokenizer: "Unable to allocate new %{protocol->} connections (%{saddr->}/%{sport->}-%{daddr->}/%{dport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to allocate new connections"), | |
}), | |
]), | |
}); | |
var msg1157 = match({ | |
id: "MESSAGE#492:338306", | |
dissect: { | |
tokenizer: "Failed to authenticate with dynamic filter updater server %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338306"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1158 = match({ | |
id: "MESSAGE#554:402101", | |
dissect: { | |
tokenizer: "%{fld1->}: rec'd IPSEC packet has invalid spi for destaddr=%{daddr->}, prot=%{protocol->}, spi=%{dst_spi->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402101"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup409, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("invalid spi"), | |
}), | |
]), | |
}); | |
var msg1159 = match({ | |
id: "MESSAGE#690:505001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup351, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1160 = match({ | |
id: "MESSAGE#145:109021", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109021"), | |
}), | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1161 = match({ | |
id: "MESSAGE#925:713202", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713202"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1162 = match({ | |
id: "MESSAGE#882:713105", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713105"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1163 = match({ | |
id: "MESSAGE#891:713124", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Received DPD sequence number %{fld1->} in R_U_THERE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713124"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received DPD sequence number"), | |
}), | |
]), | |
}); | |
var msg1164 = match({ | |
id: "MESSAGE#269:301001", | |
dissect: { | |
tokenizer: "Denied HTTP configuration attempt from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("301001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("HTTP config denied"), | |
}), | |
]), | |
}); | |
var msg1165 = match({ | |
id: "MESSAGE#564:402123", | |
dissect: { | |
tokenizer: "CRYPTO: The %{product->} encountered an error (%{context->}) while executing the command %{process->}(%{info->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402123"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup356, | |
]), | |
}); | |
var msg1166 = match({ | |
id: "MESSAGE#777:611321", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611321"), | |
}), | |
dup7, | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1167 = match({ | |
id: "MESSAGE#1308:429002", | |
dissect: { | |
tokenizer: "%{service->} requested to drop %{protocol->} packet from %{sinterface->}:%{saddr->}/%{sport->} %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("429002"), | |
}), | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Request to drop packet"), | |
}), | |
]), | |
}); | |
var msg1168 = match({ | |
id: "MESSAGE#280:302005", | |
dissect: { | |
tokenizer: "Built UDP connection for faddr %{saddr->}/%{sport->} gaddr %{hostip->}/%{network_port->} laddr %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302005"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var msg1169 = match({ | |
id: "MESSAGE#281:302005:01", | |
dissect: { | |
tokenizer: "Built outbound UDP connection %{fld1->} for %{dinterface->}:%{daddr->}/%{dport->} (%{hostip->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302005:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var msg1170 = match({ | |
id: "MESSAGE#282:302005:02", | |
dissect: { | |
tokenizer: "Built %{direction->} UDP connection %{fld1->} for %{sinterface->}:%{saddr->}/%{sport->} (%{hostip->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld3->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302005:02"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var select276 = linear_select([ | |
msg1168, | |
msg1169, | |
msg1170, | |
]); | |
var msg1171 = match({ | |
id: "MESSAGE#477:338007/2", | |
dissect: { | |
tokenizer: "ilter dropped blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{fld3->}/%{mask->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all288 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1171, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338007"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1172 = match({ | |
id: "MESSAGE#916:713170", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, IKE Received delete for rekeyed centry %{space->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713170"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE received delete for rekeyed centry"), | |
}), | |
]), | |
}); | |
var msg1173 = match({ | |
id: "MESSAGE#920:713193", | |
dissect: { | |
tokenizer: "Received packet with missing payload, Expected payload: %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup229, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713193"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1174 = match({ | |
id: "MESSAGE#707:602102", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602102"), | |
}), | |
dup7, | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1175 = match({ | |
id: "MESSAGE#964:713904:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Received an un-encrypted AUTH_FAILED notify message, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an un-encrypted AUTH_FAILED notify message"), | |
}), | |
]), | |
}); | |
var msg1176 = match({ | |
id: "MESSAGE#965:713904:03", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Received encrypted packet with no matching SA, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:03"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received encrypted packet with no matching SA"), | |
}), | |
]), | |
}); | |
var msg1177 = match({ | |
id: "MESSAGE#966:713904:04", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Received an un-encrypted %{obj_type->} notify message, %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:04"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an un-encrypted notify message"), | |
}), | |
]), | |
}); | |
var msg1178 = match({ | |
id: "MESSAGE#967:713904:05", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, No crypto map bound to interface... %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:05"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No crypto map bound to interface"), | |
}), | |
]), | |
}); | |
var msg1179 = match({ | |
id: "MESSAGE#968:713904", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1180 = match({ | |
id: "MESSAGE#969:713904:02/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->},%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select277 = linear_select([ | |
msg1180, | |
dup342, | |
]); | |
var all289 = all_match({ | |
processors: [ | |
select277, | |
dup304, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713904:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select278 = linear_select([ | |
msg1175, | |
msg1176, | |
msg1177, | |
msg1178, | |
msg1179, | |
all289, | |
]); | |
var msg1181 = match({ | |
id: "MESSAGE#1085:717046", | |
dissect: { | |
tokenizer: "Local CA Server CRL error: %{result->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717046"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Local CA Server CRL error"), | |
}), | |
]), | |
}); | |
var msg1182 = match({ | |
id: "MESSAGE#1096:718034", | |
dissect: { | |
tokenizer: "Sent TOPOLOGY indicator to %{space->} [%{daddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718034"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent TOPOLOGY indicator"), | |
}), | |
]), | |
}); | |
var msg1183 = match({ | |
id: "MESSAGE#132:109011/0", | |
dissect: { | |
tokenizer: "Authen Session Start: user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1184 = match({ | |
id: "MESSAGE#132:109011/2", | |
dissect: { | |
tokenizer: "%{sessionid->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all290 = all_match({ | |
processors: [ | |
msg1183, | |
dup373, | |
msg1184, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Authen Session Start"), | |
}), | |
]), | |
}); | |
var msg1185 = match({ | |
id: "MESSAGE#151:109026", | |
dissect: { | |
tokenizer: "[%{protocol->}] %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109026"), | |
}), | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1186 = match({ | |
id: "MESSAGE#503:400006", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1187 = match({ | |
id: "MESSAGE#547:400050", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup74, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400050"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1188 = match({ | |
id: "MESSAGE#1262:750001", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} Received request to rekey an IPsec tunnel; local traffic selector = %{info->}; remote traffic selector = %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received request to rekey an IPsec tunnel"), | |
}), | |
]), | |
}); | |
var msg1189 = match({ | |
id: "MESSAGE#1263:750001:01", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} %{fld1->} Received request to establish an IPsec tunnel; local traffic selector = %{info->}; remote traffic selector = %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750001:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received request to establish an IPsec tunnel"), | |
}), | |
]), | |
}); | |
var select279 = linear_select([ | |
msg1188, | |
msg1189, | |
]); | |
var msg1190 = match({ | |
id: "MESSAGE#324:302019", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup410, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302019"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1191 = match({ | |
id: "MESSAGE#576:403108", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} missing client %{hostip->} option", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403108"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1192 = match({ | |
id: "MESSAGE#156:109033:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}. Interactive challenge processing is not supported for %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1193 = match({ | |
id: "MESSAGE#156:109033:01/3", | |
dissect: { | |
tokenizer: "administrative %{protocol->} connections", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1194 = match({ | |
id: "MESSAGE#156:109033:01/3", | |
dissect: { | |
tokenizer: "%{protocol->} %{info->} connections", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select280 = linear_select([ | |
msg1193, | |
msg1194, | |
]); | |
var all291 = all_match({ | |
processors: [ | |
dup411, | |
dup61, | |
msg1192, | |
select280, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109033:01"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup412, | |
dup413, | |
]), | |
}); | |
var msg1195 = match({ | |
id: "MESSAGE#157:109033/2", | |
dissect: { | |
tokenizer: "%{saddr->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all292 = all_match({ | |
processors: [ | |
dup411, | |
dup61, | |
msg1195, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109033"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup412, | |
dup413, | |
]), | |
}); | |
var select281 = linear_select([ | |
all291, | |
all292, | |
]); | |
var msg1196 = match({ | |
id: "MESSAGE#1138:720046", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720046"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1197 = match({ | |
id: "MESSAGE#1279:713187", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Tunnel Rejected: %{action->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713187"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup330, | |
]), | |
}); | |
var msg1198 = match({ | |
id: "MESSAGE#1079:717029", | |
dissect: { | |
tokenizer: "Identified client certificate within certificate chain. serial number: %{serial_number->}, subject name: %{cert_subject->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717029"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Identified client certificate"), | |
}), | |
]), | |
}); | |
var msg1199 = match({ | |
id: "MESSAGE#181:113005:01/8", | |
dissect: { | |
tokenizer: "'%{username->}' : %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var msg1200 = match({ | |
id: "MESSAGE#181:113005:01/8", | |
dissect: { | |
tokenizer: "%{username->} : %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var select282 = linear_select([ | |
msg1199, | |
msg1200, | |
]); | |
var msg1201 = match({ | |
id: "MESSAGE#181:113005:01/9", | |
dissect: { | |
tokenizer: "u%{p8->}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var msg1202 = match({ | |
id: "MESSAGE#181:113005:01/9", | |
dissect: { | |
tokenizer: "U%{p8->}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var select283 = linear_select([ | |
msg1201, | |
msg1202, | |
]); | |
var msg1203 = match({ | |
id: "MESSAGE#181:113005:01/9", | |
dissect: { | |
tokenizer: "ser IP = %{saddr->}", | |
field: "nwparser.p8", | |
}, | |
}); | |
var all293 = all_match({ | |
processors: [ | |
dup414, | |
dup343, | |
dup415, | |
dup416, | |
dup120, | |
dup417, | |
dup418, | |
select282, | |
select283, | |
msg1203, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113005:01"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup419, | |
]), | |
}); | |
var msg1204 = match({ | |
id: "MESSAGE#182:113005/7", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p6", | |
}, | |
}); | |
var msg1205 = match({ | |
id: "MESSAGE#182:113005/7", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p6", | |
}, | |
}); | |
var select284 = linear_select([ | |
msg1204, | |
msg1205, | |
]); | |
var all294 = all_match({ | |
processors: [ | |
dup414, | |
dup343, | |
dup415, | |
dup416, | |
dup120, | |
dup417, | |
dup418, | |
select284, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113005"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup419, | |
]), | |
}); | |
var select285 = linear_select([ | |
all293, | |
all294, | |
]); | |
var msg1206 = match({ | |
id: "MESSAGE#187:113010/0", | |
dissect: { | |
tokenizer: "AAA challenge received for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1207 = match({ | |
id: "MESSAGE#187:113010/2", | |
dissect: { | |
tokenizer: "'%{username->}' from server %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1208 = match({ | |
id: "MESSAGE#187:113010/2", | |
dissect: { | |
tokenizer: "%{username->} from server %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select286 = linear_select([ | |
msg1207, | |
msg1208, | |
]); | |
var msg1209 = match({ | |
id: "MESSAGE#187:113010/2", | |
dissect: { | |
tokenizer: "%{hostip->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all295 = all_match({ | |
processors: [ | |
msg1206, | |
select286, | |
msg1209, | |
], | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("AAA challenge received for user"), | |
}), | |
]), | |
}); | |
var msg1210 = match({ | |
id: "MESSAGE#931:713216", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP %{saddr->}, Rule: %{fld1->} Client: %{fld2->} - allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup420, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713216"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup421, | |
]), | |
}); | |
var msg1211 = match({ | |
id: "MESSAGE#932:713216:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP %{saddr->}, Rule: %{fld1->} OS : %{fld3->} Client: %{fld2->} - NOT allowed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup420, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713216:01"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup421, | |
]), | |
}); | |
var select287 = linear_select([ | |
msg1210, | |
msg1211, | |
]); | |
var all296 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715057"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1212 = match({ | |
id: "MESSAGE#97:106028/0", | |
dissect: { | |
tokenizer: "Dropping invalid echo re%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1213 = match({ | |
id: "MESSAGE#97:106028/2", | |
dissect: { | |
tokenizer: "%{->}from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->}, %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1214 = match({ | |
id: "MESSAGE#97:106028/4", | |
dissect: { | |
tokenizer: "destination%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1215 = match({ | |
id: "MESSAGE#97:106028/4", | |
dissect: { | |
tokenizer: "source%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select288 = linear_select([ | |
msg1214, | |
msg1215, | |
]); | |
var msg1216 = match({ | |
id: "MESSAGE#97:106028/4", | |
dissect: { | |
tokenizer: "%{->}address %{fld1->} should not match dynamic port translation, real %{fld2->}:%{stransaddr->}/%{stransport->}, mapped %{fld3->}:%{dtransaddr->}/%{dtransport->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all297 = all_match({ | |
processors: [ | |
msg1212, | |
dup378, | |
msg1213, | |
select288, | |
msg1216, | |
], | |
on_success: processor_chain([ | |
dup101, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106028"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropping invalid echo reply"), | |
}), | |
]), | |
}); | |
var msg1217 = match({ | |
id: "MESSAGE#98:106028:01", | |
dissect: { | |
tokenizer: "Deny %{protocol->} (Connection marked for Deletion) from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} flags %{network_service->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106028:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup196, | |
]), | |
}); | |
var select289 = linear_select([ | |
all297, | |
msg1217, | |
]); | |
var all298 = all_match({ | |
processors: [ | |
dup44, | |
dup266, | |
dup322, | |
dup323, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411003"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1218 = match({ | |
id: "MESSAGE#696:505007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1219 = match({ | |
id: "MESSAGE#210:199009:01", | |
dissect: { | |
tokenizer: "Reloaded at %{event_time_string->} by failover parser thread. Reload reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199009:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload operation by failover parser thread"), | |
}), | |
]), | |
}); | |
var msg1220 = match({ | |
id: "MESSAGE#211:199009/0", | |
dissect: { | |
tokenizer: "Reloaded at %{event_time_string->} by %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1221 = match({ | |
id: "MESSAGE#211:199009/2", | |
dissect: { | |
tokenizer: "%{process->}. Reload reason: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1222 = match({ | |
id: "MESSAGE#211:199009/3", | |
dissect: { | |
tokenizer: "[%{result->}] ", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select290 = linear_select([ | |
msg1222, | |
dup422, | |
]); | |
var all299 = all_match({ | |
processors: [ | |
msg1220, | |
dup61, | |
msg1221, | |
select290, | |
], | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199009"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Reload operation"), | |
}), | |
]), | |
}); | |
var select291 = linear_select([ | |
msg1219, | |
all299, | |
]); | |
var msg1223 = match({ | |
id: "MESSAGE#440:321001", | |
dissect: { | |
tokenizer: "Resource %{fld1->} limit of %{fld2->} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1224 = match({ | |
id: "MESSAGE#441:321001:01", | |
dissect: { | |
tokenizer: "Resource %{fld1->} limit of %{fld2->} reached for context %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select292 = linear_select([ | |
msg1223, | |
msg1224, | |
]); | |
var msg1225 = match({ | |
id: "MESSAGE#502:400005", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1226 = match({ | |
id: "MESSAGE#585:403506", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403506"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1227 = match({ | |
id: "MESSAGE#940:713228/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Assigned private IP address %{stransaddr->} to remote user", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all300 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1227, | |
], | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713228"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1228 = match({ | |
id: "MESSAGE#1097:718039", | |
dissect: { | |
tokenizer: "Process dead peer[%{peer->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718039"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Process dead"), | |
}), | |
]), | |
}); | |
var msg1229 = match({ | |
id: "MESSAGE#1230:737005", | |
dissect: { | |
tokenizer: "%{process->}: %{result->}, request succeeded for tunnel-group '%{group->}'", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("request succeeded for tunnel-group"), | |
}), | |
]), | |
}); | |
var msg1230 = match({ | |
id: "MESSAGE#1233:737007/1", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->} Local pool request failed for tunnel-group '%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1231 = match({ | |
id: "MESSAGE#1233:737007/1", | |
dissect: { | |
tokenizer: "%{process->} Local pool request failed for tunnel-group '%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select293 = linear_select([ | |
msg1230, | |
msg1231, | |
]); | |
var msg1232 = match({ | |
id: "MESSAGE#1233:737007/1", | |
dissect: { | |
tokenizer: "%{group_object->}'", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all301 = all_match({ | |
processors: [ | |
select293, | |
msg1232, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737007"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Local pool request failed for tunnel-group"), | |
}), | |
]), | |
}); | |
var msg1233 = match({ | |
id: "MESSAGE#65:106008", | |
dissect: { | |
tokenizer: "Translation for %{hostip->} denied by %{direction->} (source is denied) %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106008"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup423, | |
]), | |
}); | |
var msg1234 = match({ | |
id: "MESSAGE#66:106008:01", | |
dissect: { | |
tokenizer: "Translation for %{hostip->} denied by %{direction->} %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106008:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup423, | |
]), | |
}); | |
var select294 = linear_select([ | |
msg1233, | |
msg1234, | |
]); | |
var msg1235 = match({ | |
id: "MESSAGE#233:202005", | |
dissect: { | |
tokenizer: "Non-embryonic in embryonic list %{saddr->}/%{sport->} %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1236 = match({ | |
id: "MESSAGE#405:312001", | |
dissect: { | |
tokenizer: "RIP hdr failed from %{saddr->}: cmd=%{fld1->}, version=%{fld2->} domain=%{fld3->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("312001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all302 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713130"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1237 = match({ | |
id: "MESSAGE#1244:737019", | |
dissect: { | |
tokenizer: "%{process->}: Unable to get address from group-policy or tunnel-group local pools", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737019"), | |
}), | |
dup2, | |
dup3, | |
dup424, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1238 = match({ | |
id: "MESSAGE#1245:737019:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, Unable to get address from group-policy or tunnel-group local pools", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737019:01"), | |
}), | |
dup2, | |
dup3, | |
dup424, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select295 = linear_select([ | |
msg1237, | |
msg1238, | |
]); | |
var msg1239 = match({ | |
id: "MESSAGE#255:212002", | |
dissect: { | |
tokenizer: "Unable to open %{protocol->} trap channel (UDP port %{network_port->}) on interface %{interface->}, error code = %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup75, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1240 = match({ | |
id: "MESSAGE#725:603106/0", | |
dissect: { | |
tokenizer: "L2TP Tunnel created%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1241 = match({ | |
id: "MESSAGE#725:603106/2", | |
dissect: { | |
tokenizer: "%{->}tunnel_id is %{fld1->}, remote_peer_ip is %{saddr->}, ppp_virtual_interface_id is %{interface->}, client_dynamic_ip is %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1242 = match({ | |
id: "MESSAGE#725:603106/4", | |
dissect: { | |
tokenizer: "%{daddr->}, username is %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1243 = match({ | |
id: "MESSAGE#725:603106/4", | |
dissect: { | |
tokenizer: "%{daddr->} username is %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select296 = linear_select([ | |
msg1242, | |
msg1243, | |
]); | |
var all303 = all_match({ | |
processors: [ | |
msg1240, | |
dup235, | |
msg1241, | |
select296, | |
dup384, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603106"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("L2TP tunnel created"), | |
}), | |
]), | |
}); | |
var msg1244 = match({ | |
id: "MESSAGE#727:603108/0", | |
dissect: { | |
tokenizer: "Built PPTP %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1245 = match({ | |
id: "MESSAGE#727:603108/2", | |
dissect: { | |
tokenizer: "unnel at %{interface->}, tunnel-id = %{fld1->}, remote-peer = %{saddr->}, virtual-interface = %{vsys->}, client-dynamic-ip = %{daddr->}, username = %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1246 = match({ | |
id: "MESSAGE#727:603108/4", | |
dissect: { | |
tokenizer: "'%{username->}' , MPPE-key-strength = %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1247 = match({ | |
id: "MESSAGE#727:603108/4", | |
dissect: { | |
tokenizer: "%{username->} , MPPE-key-strength = %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select297 = linear_select([ | |
msg1246, | |
msg1247, | |
]); | |
var msg1248 = match({ | |
id: "MESSAGE#727:603108/4", | |
dissect: { | |
tokenizer: "%{fld2->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all304 = all_match({ | |
processors: [ | |
msg1244, | |
dup425, | |
msg1245, | |
select297, | |
msg1248, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603108"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP tunnel created"), | |
}), | |
]), | |
}); | |
var msg1249 = match({ | |
id: "MESSAGE#1071:717010", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all305 = all_match({ | |
processors: [ | |
dup352, | |
dup353, | |
dup354, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1250 = match({ | |
id: "MESSAGE#46:105037", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105037"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1251 = match({ | |
id: "MESSAGE#710:602201", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{daddr->}/%{dport->} (responder), remote %{saddr->}/%{sport->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602201"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1252 = match({ | |
id: "MESSAGE#711:602201:01", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 SA created (local %{saddr->}/%{sport->} (initiator), remote %{daddr->}/%{dport->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602201:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select298 = linear_select([ | |
msg1251, | |
msg1252, | |
]); | |
var msg1253 = match({ | |
id: "MESSAGE#740:606001/2", | |
dissect: { | |
tokenizer: "DM session number %{sessionid->} from %{hostip->} started", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all306 = all_match({ | |
processors: [ | |
dup44, | |
dup426, | |
msg1253, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PDM/ASDM session started"), | |
}), | |
]), | |
}); | |
var all307 = all_match({ | |
processors: [ | |
dup427, | |
dup247, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702205:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup248, | |
]), | |
}); | |
var all308 = all_match({ | |
processors: [ | |
dup427, | |
dup247, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702205"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup248, | |
]), | |
}); | |
var select299 = linear_select([ | |
all307, | |
all308, | |
]); | |
var msg1254 = match({ | |
id: "MESSAGE#728:603109/0", | |
dissect: { | |
tokenizer: "Teardown PPPOE %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1255 = match({ | |
id: "MESSAGE#728:603109/2", | |
dissect: { | |
tokenizer: "unnel at %{interface->}, tunnel-id = %{fld1->}, remote-peer = %{saddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all309 = all_match({ | |
processors: [ | |
msg1254, | |
dup425, | |
msg1255, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603109"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown PPPOE tunnel"), | |
}), | |
]), | |
}); | |
var msg1256 = match({ | |
id: "MESSAGE#764:611308", | |
dissect: { | |
tokenizer: "VPNClient: Split DNS Policy installed: List of domains:%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611308"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup269, | |
]), | |
}); | |
var msg1257 = match({ | |
id: "MESSAGE#1030:715058", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, NAT-Discovery payloads missing. Aborting NAT-Traversal.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715058"), | |
}), | |
dup7, | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg1258 = match({ | |
id: "MESSAGE#1193:725007/0", | |
dissect: { | |
tokenizer: "SSL session with %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1259 = match({ | |
id: "MESSAGE#1193:725007/4", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} terminated%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1260 = match({ | |
id: "MESSAGE#1193:725007/4", | |
dissect: { | |
tokenizer: "%{hostip->}/%{network_port->} terminated%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select300 = linear_select([ | |
msg1259, | |
msg1260, | |
]); | |
var msg1261 = match({ | |
id: "MESSAGE#1193:725007/5", | |
dissect: { | |
tokenizer: ".%{->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var all310 = all_match({ | |
processors: [ | |
msg1258, | |
dup92, | |
dup249, | |
select300, | |
dup254, | |
msg1261, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1262 = match({ | |
id: "MESSAGE#215:201001", | |
dissect: { | |
tokenizer: "Out of connections! %{fld1->}/%{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1263 = match({ | |
id: "MESSAGE#266:216001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("216001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1264 = match({ | |
id: "MESSAGE#887:713121", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713121"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1265 = match({ | |
id: "MESSAGE#910:713273", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713273"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup428, | |
]), | |
}); | |
var msg1266 = match({ | |
id: "MESSAGE#911:713273:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713273:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup428, | |
]), | |
}); | |
var msg1267 = match({ | |
id: "MESSAGE#912:713273:02", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713273:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup428, | |
]), | |
}); | |
var select301 = linear_select([ | |
msg1265, | |
msg1266, | |
msg1267, | |
]); | |
var msg1268 = match({ | |
id: "MESSAGE#593:405104", | |
dissect: { | |
tokenizer: "H225 message %{fld->} received from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} before SETUP", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup41, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405104"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("H225 message received from before SETUP"), | |
}), | |
]), | |
}); | |
var msg1269 = match({ | |
id: "MESSAGE#738:605005/0", | |
dissect: { | |
tokenizer: "Login permitted from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{service->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all311 = all_match({ | |
processors: [ | |
msg1269, | |
dup429, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605005"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup40, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Login permitted"), | |
}), | |
]), | |
}); | |
var msg1270 = match({ | |
id: "MESSAGE#739:605005:01/0", | |
dissect: { | |
tokenizer: "%{result->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all312 = all_match({ | |
processors: [ | |
msg1270, | |
dup429, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605005:01"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select302 = linear_select([ | |
all311, | |
all312, | |
]); | |
var msg1271 = match({ | |
id: "MESSAGE#250:210021", | |
dissect: { | |
tokenizer: "LU create static xlate %{hostip->} ifc %{interface->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210021"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1272 = match({ | |
id: "MESSAGE#265:215001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("215001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1273 = match({ | |
id: "MESSAGE#390:307001", | |
dissect: { | |
tokenizer: "Denied %{protocol->} login session from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup430, | |
dup431, | |
dup432, | |
]), | |
}); | |
var msg1274 = match({ | |
id: "MESSAGE#391:307001:01", | |
dissect: { | |
tokenizer: "Denied %{protocol->} login session from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup430, | |
dup431, | |
dup432, | |
]), | |
}); | |
var select303 = linear_select([ | |
msg1273, | |
msg1274, | |
]); | |
var msg1275 = match({ | |
id: "MESSAGE#469:337005", | |
dissect: { | |
tokenizer: "Phone Proxy SRTP: Media session not found for %{hostip->}/%{network_port->} for packet from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("337005"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phone Proxy SRTP: Media session not found"), | |
}), | |
]), | |
}); | |
var msg1276 = match({ | |
id: "MESSAGE#287:302008", | |
dissect: { | |
tokenizer: "Teardown conduit from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->} IP version %{fld1->} protocol %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302008"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup306, | |
]), | |
}); | |
var msg1277 = match({ | |
id: "MESSAGE#1252:737033", | |
dissect: { | |
tokenizer: "%{process->}: Unable to assign AAA provided IP address (%{hostip->}) to Client. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737033"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to assign AAA provided IP address to Client"), | |
}), | |
]), | |
}); | |
var msg1278 = match({ | |
id: "MESSAGE#877:713074", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713074"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg1279 = match({ | |
id: "MESSAGE#1075:717025", | |
dissect: { | |
tokenizer: "Validating certificate chain containing %{fld1->} certificate(s)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717025"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Validating certificate chain"), | |
}), | |
]), | |
}); | |
var msg1280 = match({ | |
id: "MESSAGE#230:202002", | |
dissect: { | |
tokenizer: "Unable to find translation for SRC=%{saddr->} DEST=%{daddr->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1281 = match({ | |
id: "MESSAGE#425:317003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("317003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1282 = match({ | |
id: "MESSAGE#671:444108", | |
dissect: { | |
tokenizer: "Shared license added client id %{hostid->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444108"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license added client"), | |
}), | |
]), | |
}); | |
var msg1283 = match({ | |
id: "MESSAGE#672:444108:01", | |
dissect: { | |
tokenizer: "Shared license expired client id %{hostid->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444108:01"), | |
}), | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license expired client"), | |
}), | |
]), | |
}); | |
var select304 = linear_select([ | |
msg1282, | |
msg1283, | |
]); | |
var msg1284 = match({ | |
id: "MESSAGE#755:611103/0", | |
dissect: { | |
tokenizer: "User logged out: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all313 = all_match({ | |
processors: [ | |
msg1284, | |
dup238, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401070000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611103"), | |
}), | |
dup7, | |
dup17, | |
dup143, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User logged out"), | |
}), | |
]), | |
}); | |
var msg1285 = match({ | |
id: "MESSAGE#496:338310", | |
dissect: { | |
tokenizer: "Failed to update from dynamic filter updater server %{web_domain->}, reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338310"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1286 = match({ | |
id: "MESSAGE#82:106016", | |
dissect: { | |
tokenizer: "Deny %{protocol->} spoof from (%{saddr->}) to %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup101, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106016"), | |
}), | |
dup99, | |
dup320, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1287 = match({ | |
id: "MESSAGE#83:106016:01", | |
dissect: { | |
tokenizer: "Deny %{protocol->} spoof from (%{saddr->}) to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup101, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106016:01"), | |
}), | |
dup99, | |
dup320, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select305 = linear_select([ | |
msg1286, | |
msg1287, | |
]); | |
var msg1288 = match({ | |
id: "MESSAGE#1057:716047/2", | |
dissect: { | |
tokenizer: "%{saddr->}> User ACL \u003c\u003c%{listnum->}> from %{fld1->} ignored, %{info->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all314 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg1288, | |
], | |
on_success: processor_chain([ | |
dup420, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716047"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1289 = match({ | |
id: "MESSAGE#616:409023/0", | |
dissect: { | |
tokenizer: "Attempting AAA Fallback method %{process->} for %{info->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1290 = match({ | |
id: "MESSAGE#616:409023/2", | |
dissect: { | |
tokenizer: "'%{username->}' : %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1291 = match({ | |
id: "MESSAGE#616:409023/2", | |
dissect: { | |
tokenizer: "%{username->} : %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select306 = linear_select([ | |
msg1290, | |
msg1291, | |
]); | |
var msg1292 = match({ | |
id: "MESSAGE#616:409023/2", | |
dissect: { | |
tokenizer: "%{space->} Auth-server group %{product->} unreachable", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all315 = all_match({ | |
processors: [ | |
msg1289, | |
select306, | |
msg1292, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409023"), | |
}), | |
dup65, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Auth-server group unreachable"), | |
}), | |
]), | |
}); | |
var msg1293 = match({ | |
id: "MESSAGE#841:709008", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709008"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Configuration may be out of sync"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1294 = match({ | |
id: "MESSAGE#927:713206", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Tunnel Rejected: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713206"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: dup433, | |
}), | |
]), | |
}); | |
var msg1295 = match({ | |
id: "MESSAGE#1295:716601", | |
dissect: { | |
tokenizer: "Rejected %{fld1->} Hostscan data from IP \u003c\u003c%{saddr->}>. %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716601"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rejected Hostscan data"), | |
}), | |
]), | |
}); | |
var msg1296 = match({ | |
id: "MESSAGE#30:105005", | |
dissect: { | |
tokenizer: "(%{context->}) Lost Failover communications with mate on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup326, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Lost Failover communications with mate on interface"), | |
}), | |
]), | |
}); | |
var msg1297 = match({ | |
id: "MESSAGE#245:210006", | |
dissect: { | |
tokenizer: "LU look NAT for %{hostip->} failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1298 = match({ | |
id: "MESSAGE#467:335004", | |
dissect: { | |
tokenizer: "NAC is disabled for host - %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("335004"), | |
}), | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAC is disabled"), | |
}), | |
]), | |
}); | |
var msg1299 = match({ | |
id: "MESSAGE#596:406002", | |
dissect: { | |
tokenizer: "FTP port command different address: %{saddr->}(%{fld1->}) to %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup239, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("406002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup240, | |
]), | |
}); | |
var msg1300 = match({ | |
id: "MESSAGE#1178:722051:01/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > IPv4 %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1301 = match({ | |
id: "MESSAGE#1178:722051:01/3", | |
dissect: { | |
tokenizer: "%{saddr->} > IPv4 %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select307 = linear_select([ | |
msg1300, | |
msg1301, | |
]); | |
var msg1302 = match({ | |
id: "MESSAGE#1178:722051:01/4", | |
dissect: { | |
tokenizer: "A%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1303 = match({ | |
id: "MESSAGE#1178:722051:01/4", | |
dissect: { | |
tokenizer: "a%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select308 = linear_select([ | |
msg1302, | |
msg1303, | |
]); | |
var msg1304 = match({ | |
id: "MESSAGE#1178:722051:01/4", | |
dissect: { | |
tokenizer: "ddress \u003c\u003c %{stransaddr->} > IPv6 %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1305 = match({ | |
id: "MESSAGE#1178:722051:01/6", | |
dissect: { | |
tokenizer: "a%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1306 = match({ | |
id: "MESSAGE#1178:722051:01/6", | |
dissect: { | |
tokenizer: "A%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select309 = linear_select([ | |
msg1305, | |
msg1306, | |
]); | |
var msg1307 = match({ | |
id: "MESSAGE#1178:722051:01/6", | |
dissect: { | |
tokenizer: "ddress \u003c\u003c%{info->}> assigned to session", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all316 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select307, | |
select308, | |
msg1304, | |
select309, | |
msg1307, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722051:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("specific address is assigned to session"), | |
}), | |
]), | |
}); | |
var msg1308 = match({ | |
id: "MESSAGE#1179:722051/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > Address \u003c\u003c %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1309 = match({ | |
id: "MESSAGE#1179:722051/3", | |
dissect: { | |
tokenizer: "%{saddr->} > Address \u003c\u003c %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select310 = linear_select([ | |
msg1308, | |
msg1309, | |
]); | |
var msg1310 = match({ | |
id: "MESSAGE#1179:722051/3", | |
dissect: { | |
tokenizer: "%{stransaddr->} > assigned to session", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all317 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select310, | |
msg1310, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722051"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup434, | |
]), | |
}); | |
var select311 = linear_select([ | |
all316, | |
all317, | |
]); | |
var msg1311 = match({ | |
id: "MESSAGE#1224:735006", | |
dissect: { | |
tokenizer: "Power Supply Unit Redundancy Lost%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735006"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply Unit Redundancy Lost"), | |
}), | |
]), | |
}); | |
var msg1312 = match({ | |
id: "MESSAGE#107:106103:01", | |
dissect: { | |
tokenizer: "access-list %{listnum->} %{action->} %{protocol->} for user '%{username->}' %{sinterface->}/%{saddr->}(%{sport->}) -> %{dinterface->}/%{daddr->}(%{dport->}) hit-cnt %{dclass_counter1->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106103:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup203, | |
]), | |
}); | |
var msg1313 = match({ | |
id: "MESSAGE#108:106103", | |
dissect: { | |
tokenizer: "access-list %{listnum->} %{protocol->} %{sinterface->}/%{saddr->}(%{sport->}) -> %{dinterface->}/%{daddr->}(%{dport->}) hit-cnt %{dclass_counter1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106103"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup203, | |
]), | |
}); | |
var select312 = linear_select([ | |
msg1312, | |
msg1313, | |
]); | |
var msg1314 = match({ | |
id: "MESSAGE#1087:718005", | |
dissect: { | |
tokenizer: "Fail to send to %{saddr->} port %{sport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718005"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Fail to send to host"), | |
}), | |
]), | |
}); | |
var msg1315 = match({ | |
id: "MESSAGE#1149:721010", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1316 = match({ | |
id: "MESSAGE#1164:722028/2", | |
dissect: { | |
tokenizer: "%{saddr->}> Stale SVC connection closed.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all318 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg1316, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722028"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Stale SVC connection closed"), | |
}), | |
]), | |
}); | |
var all319 = all_match({ | |
processors: [ | |
dup435, | |
dup129, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702209:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup405, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all320 = all_match({ | |
processors: [ | |
dup435, | |
dup129, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702209"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup405, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select313 = linear_select([ | |
all319, | |
all320, | |
]); | |
var msg1317 = match({ | |
id: "MESSAGE#1306:776251", | |
dissect: { | |
tokenizer: "CTS SGT-MAP: Binding %{saddr->}/%{sport->}->%{fld1->}:%{group->} from %{fld2->} added to binding manager.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("776251"), | |
}), | |
dup14, | |
dup3, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("added to binding manager"), | |
}), | |
]), | |
}); | |
var msg1318 = match({ | |
id: "MESSAGE#43:105035", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105035"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1319 = match({ | |
id: "MESSAGE#483:338201/4", | |
dissect: { | |
tokenizer: "ed greylisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all321 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup213, | |
dup214, | |
msg1319, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338201"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1320 = match({ | |
id: "MESSAGE#513:400016", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400016"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var all322 = all_match({ | |
processors: [ | |
dup436, | |
dup129, | |
dup130, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602203:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup437, | |
]), | |
}); | |
var all323 = all_match({ | |
processors: [ | |
dup436, | |
dup129, | |
dup132, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602203"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup437, | |
]), | |
}); | |
var select314 = linear_select([ | |
all322, | |
all323, | |
]); | |
var msg1321 = match({ | |
id: "MESSAGE#1109:718072", | |
dissect: { | |
tokenizer: "Becoming master of Load Balancing in context %{context->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718072"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Becoming master of Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1322 = match({ | |
id: "MESSAGE#1248:737029/1", | |
dissect: { | |
tokenizer: "Session=%{sessionid->}, Added %{hostip->} to standby ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1323 = match({ | |
id: "MESSAGE#1248:737029/1", | |
dissect: { | |
tokenizer: "Added %{hostip->} to standby ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select315 = linear_select([ | |
msg1322, | |
msg1323, | |
]); | |
var all324 = all_match({ | |
processors: [ | |
dup53, | |
select315, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737029"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Added host to standby"), | |
}), | |
]), | |
}); | |
var msg1324 = match({ | |
id: "MESSAGE#343:302303", | |
dissect: { | |
tokenizer: "Built %{protocol->} state-bypass connection %{connectionid->} from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302303"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built state-bypass connection"), | |
}), | |
]), | |
}); | |
var msg1325 = match({ | |
id: "MESSAGE#1176:722049/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > Session terminated: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1326 = match({ | |
id: "MESSAGE#1176:722049/3", | |
dissect: { | |
tokenizer: "%{saddr->} > Session terminated: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select316 = linear_select([ | |
msg1325, | |
msg1326, | |
]); | |
var all325 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select316, | |
dup438, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722049"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup372, | |
]), | |
}); | |
var msg1327 = match({ | |
id: "MESSAGE#1204:725016/0", | |
dissect: { | |
tokenizer: "Device selects trust-point %{network_service->} for client %{interface->}: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1328 = match({ | |
id: "MESSAGE#1204:725016/1", | |
dissect: { | |
tokenizer: "%{fld1->}_%{fld2->}_%{saddr->}/%{sport->} to %{daddr->}/%{dport->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1329 = match({ | |
id: "MESSAGE#1204:725016/1", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select317 = linear_select([ | |
msg1328, | |
msg1329, | |
]); | |
var all326 = all_match({ | |
processors: [ | |
msg1327, | |
select317, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725016"), | |
}), | |
dup35, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device selects trust-point"), | |
}), | |
]), | |
}); | |
var msg1330 = match({ | |
id: "MESSAGE#1234:737010", | |
dissect: { | |
tokenizer: "%{process->}: Client requested address %{hostip->}, request succeeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Client requested address succeeded"), | |
}), | |
]), | |
}); | |
var msg1331 = match({ | |
id: "MESSAGE#1235:737010:01", | |
dissect: { | |
tokenizer: "%{process->}: AAA assigned address %{hostip->} succeeded", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737010:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AAA assigned address succeeded"), | |
}), | |
]), | |
}); | |
var select318 = linear_select([ | |
msg1330, | |
msg1331, | |
]); | |
var msg1332 = match({ | |
id: "MESSAGE#749:610001", | |
dissect: { | |
tokenizer: "%{service->} daemon interface %{interface->}: Packet denied from %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("610001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Packet denied"), | |
}), | |
]), | |
}); | |
var all327 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup174, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715042"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1333 = match({ | |
id: "MESSAGE#1301:771002", | |
dissect: { | |
tokenizer: "CLOCK: %{fld1->}, source: %{fld2->}, IP: %{saddr->}, before: %{change_old->}, after: %{change_new->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("771002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("System clock set"), | |
}), | |
]), | |
}); | |
var msg1334 = match({ | |
id: "MESSAGE#20:104001", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}(cause: %{result->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104001"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1335 = match({ | |
id: "MESSAGE#21:104001:01", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->} - %{result->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104001:01"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select319 = linear_select([ | |
msg1334, | |
msg1335, | |
]); | |
var msg1336 = match({ | |
id: "MESSAGE#33:105008/0", | |
dissect: { | |
tokenizer: "(%{context->}) Testing %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1337 = match({ | |
id: "MESSAGE#33:105008/2", | |
dissect: { | |
tokenizer: "nterface %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all328 = all_match({ | |
processors: [ | |
msg1336, | |
dup266, | |
msg1337, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup363, | |
]), | |
}); | |
var msg1338 = match({ | |
id: "MESSAGE#131:109010", | |
dissect: { | |
tokenizer: "Auth from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} failed (%{result->}) on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109010"), | |
}), | |
dup18, | |
dup99, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup191, | |
]), | |
}); | |
var msg1339 = match({ | |
id: "MESSAGE#673:444109", | |
dissect: { | |
tokenizer: "Shared license backup server role change to %{result->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444109"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license backup server role changed"), | |
}), | |
]), | |
}); | |
var msg1340 = match({ | |
id: "MESSAGE#667:444101", | |
dissect: { | |
tokenizer: "Shared license service is active. %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared license service is active"), | |
}), | |
]), | |
}); | |
var msg1341 = match({ | |
id: "MESSAGE#724:603105/0", | |
dissect: { | |
tokenizer: "PPTP Tunnel deleted%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1342 = match({ | |
id: "MESSAGE#724:603105/2", | |
dissect: { | |
tokenizer: "%{->}tunnel_id =%{fld1->}, remote_peer_ip=%{saddr->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all329 = all_match({ | |
processors: [ | |
msg1341, | |
dup235, | |
msg1342, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("603105"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PPTP tunnel deleted"), | |
}), | |
]), | |
}); | |
var msg1343 = match({ | |
id: "MESSAGE#172:111008/2", | |
dissect: { | |
tokenizer: "'%{username->}' executed the %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1344 = match({ | |
id: "MESSAGE#172:111008/2", | |
dissect: { | |
tokenizer: "%{username->} executed the %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select320 = linear_select([ | |
msg1343, | |
msg1344, | |
]); | |
var msg1345 = match({ | |
id: "MESSAGE#172:111008/2", | |
dissect: { | |
tokenizer: "command %{action->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1346 = match({ | |
id: "MESSAGE#172:111008/2", | |
dissect: { | |
tokenizer: "'%{action->}' command ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select321 = linear_select([ | |
msg1345, | |
msg1346, | |
]); | |
var all330 = all_match({ | |
processors: [ | |
dup262, | |
select320, | |
select321, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111008"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup362, | |
]), | |
}); | |
var msg1347 = match({ | |
id: "MESSAGE#669:444104", | |
dissect: { | |
tokenizer: "Shared %{protocol->} license availability: %{info->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444104"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Shared protocol license availability"), | |
}), | |
]), | |
}); | |
var msg1348 = match({ | |
id: "MESSAGE#783:613001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("613001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1349 = match({ | |
id: "MESSAGE#1059:716052", | |
dissect: { | |
tokenizer: "Group %{fld0->} User %{username->} IP %{saddr->} %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716052"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1350 = match({ | |
id: "MESSAGE#1280:113028/0", | |
dissect: { | |
tokenizer: "Extraction of username from VPN client certificate has %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1351 = match({ | |
id: "MESSAGE#1280:113028/2", | |
dissect: { | |
tokenizer: "finished %{disposition->}. [Request %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1352 = match({ | |
id: "MESSAGE#1280:113028/2", | |
dissect: { | |
tokenizer: "been %{disposition->}. [Request %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1353 = match({ | |
id: "MESSAGE#1280:113028/2", | |
dissect: { | |
tokenizer: "%{disposition->}. [Request %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select322 = linear_select([ | |
msg1351, | |
msg1352, | |
msg1353, | |
]); | |
var msg1354 = match({ | |
id: "MESSAGE#1280:113028/2", | |
dissect: { | |
tokenizer: "%{fld1->}]", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all331 = all_match({ | |
processors: [ | |
msg1350, | |
select322, | |
msg1354, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113028"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1355 = match({ | |
id: "MESSAGE#116:108004:01/0", | |
dissect: { | |
tokenizer: "SMTP: Bad Checksum %{network_service->} Re%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all332 = all_match({ | |
processors: [ | |
msg1355, | |
dup439, | |
dup440, | |
dup345, | |
dup346, | |
dup441, | |
dup442, | |
], | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108004:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1356 = match({ | |
id: "MESSAGE#117:108004", | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service->} response", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1357 = match({ | |
id: "MESSAGE#118:108004:02/0", | |
dissect: { | |
tokenizer: "ESMTP Classification: %{action->} for %{network_service->} Re%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all333 = all_match({ | |
processors: [ | |
msg1357, | |
dup439, | |
dup440, | |
dup345, | |
dup346, | |
dup441, | |
dup442, | |
], | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108004:02"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select323 = linear_select([ | |
all332, | |
msg1356, | |
all333, | |
]); | |
var msg1358 = match({ | |
id: "MESSAGE#750:610002", | |
dissect: { | |
tokenizer: "%{service->} daemon interface %{interface->}: Authentication failed for packet from %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("610002"), | |
}), | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authentication failed"), | |
}), | |
]), | |
}); | |
var msg1359 = match({ | |
id: "MESSAGE#1148:721004", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1360 = match({ | |
id: "MESSAGE#1155:722005", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all334 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715055"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1361 = match({ | |
id: "MESSAGE#1102:718051", | |
dissect: { | |
tokenizer: "Deleted secure tunnel to peer %{space->} [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718051"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted secure tunnel to peer"), | |
}), | |
]), | |
}); | |
var msg1362 = match({ | |
id: "MESSAGE#480:338102/2", | |
dissect: { | |
tokenizer: "ilter %{action->} whitelisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{web_domain->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all335 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1362, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338102"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1363 = match({ | |
id: "MESSAGE#524:400027", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup109, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400027"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1364 = match({ | |
id: "MESSAGE#660:420005", | |
dissect: { | |
tokenizer: "Virtual Sensor %{vsys->} was deleted from the %{product->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("420005"), | |
}), | |
dup108, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Virtual Sensor deleted"), | |
}), | |
]), | |
}); | |
var msg1365 = match({ | |
id: "MESSAGE#948:713251/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Received authentication failure message", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all336 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1365, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301020000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713251"), | |
}), | |
dup7, | |
dup133, | |
dup134, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received authentication failure message"), | |
}), | |
]), | |
}); | |
var all337 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup300, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713034"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1366 = match({ | |
id: "MESSAGE#859:713034:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{action->}:%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713034:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select324 = linear_select([ | |
all337, | |
msg1366, | |
]); | |
var msg1367 = match({ | |
id: "MESSAGE#996:715009/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->}: %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all338 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1367, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715009"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1368 = match({ | |
id: "MESSAGE#997:715009:01/2", | |
dissect: { | |
tokenizer: "%{action->}: %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all339 = all_match({ | |
processors: [ | |
dup44, | |
dup175, | |
msg1368, | |
], | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715009:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select325 = linear_select([ | |
all338, | |
all339, | |
]); | |
var msg1369 = match({ | |
id: "MESSAGE#609:409007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1370 = match({ | |
id: "MESSAGE#698:505013/1", | |
dissect: { | |
tokenizer: "%{product->} Module in slot %{fld1->}, application reloading \"%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1371 = match({ | |
id: "MESSAGE#698:505013/1", | |
dissect: { | |
tokenizer: "Module ips, application reloading \"%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select326 = linear_select([ | |
msg1370, | |
msg1371, | |
]); | |
var all340 = all_match({ | |
processors: [ | |
select326, | |
dup57, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1702010000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1372 = match({ | |
id: "MESSAGE#1286:746015", | |
dissect: { | |
tokenizer: "user-identity: [FQDN] %{domain->} resolved %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup67, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746015"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1373 = match({ | |
id: "MESSAGE#1292:405003", | |
dissect: { | |
tokenizer: "IP address collision detected between host %{hostip->} at %{smacaddr->} and interface %{dinterface->}, %{dmacaddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805010100"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405003"), | |
}), | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP address collision detected"), | |
}), | |
]), | |
}); | |
var msg1374 = match({ | |
id: "MESSAGE#126:109005/0", | |
dissect: { | |
tokenizer: "Authentication succeeded for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all341 = all_match({ | |
processors: [ | |
msg1374, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109005"), | |
}), | |
dup17, | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Successful Authentication"), | |
}), | |
]), | |
}); | |
var msg1375 = match({ | |
id: "MESSAGE#555:402102", | |
dissect: { | |
tokenizer: "%{fld1->}: packet missing %{fld2->}, destadr=%{daddr->}, actual prot=%{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402102"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("invalid packet"), | |
}), | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("missing packet type"), | |
}), | |
]), | |
}); | |
var msg1376 = match({ | |
id: "MESSAGE#1007:715035", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, Starting IOS keepalive monitor: %{duration->} sec.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715035"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg1377 = match({ | |
id: "MESSAGE#1173:722041/0", | |
dissect: { | |
tokenizer: "TunnelGroup \u003c\u003c %{fld1->} > GroupPolicy \u003c\u003c %{group->} > User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1378 = match({ | |
id: "MESSAGE#1173:722041/2", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld2->}) > No IPv6 address available for SVC connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1379 = match({ | |
id: "MESSAGE#1173:722041/2", | |
dissect: { | |
tokenizer: "%{saddr->} > No IPv6 address available for SVC connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select327 = linear_select([ | |
msg1378, | |
msg1379, | |
]); | |
var all342 = all_match({ | |
processors: [ | |
msg1377, | |
dup182, | |
select327, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722041"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No IPv6 address available for SVC connection"), | |
}), | |
]), | |
}); | |
var msg1380 = match({ | |
id: "MESSAGE#1080:717030", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717030"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1381 = match({ | |
id: "MESSAGE#204:199003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1382 = match({ | |
id: "MESSAGE#207:199006/0", | |
dissect: { | |
tokenizer: "Orderly reload started at %{fld1->} by %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1383 = match({ | |
id: "MESSAGE#207:199006/2", | |
dissect: { | |
tokenizer: "%{->} %{username->} from %{protocol->} (remote %{saddr->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select328 = linear_select([ | |
msg1383, | |
dup367, | |
]); | |
var msg1384 = match({ | |
id: "MESSAGE#207:199006/2", | |
dissect: { | |
tokenizer: ". Reload reason: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all343 = all_match({ | |
processors: [ | |
msg1382, | |
select328, | |
msg1384, | |
], | |
on_success: processor_chain([ | |
dup207, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199006"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Orderly reload started"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1385 = match({ | |
id: "MESSAGE#242:210002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1386 = match({ | |
id: "MESSAGE#578:403110", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403110"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1387 = match({ | |
id: "MESSAGE#485:338203/2", | |
dissect: { | |
tokenizer: "ilter dropped greylisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all344 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1387, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338203"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1388 = match({ | |
id: "MESSAGE#533:400036", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400036"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1389 = match({ | |
id: "MESSAGE#632:415001", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Tunnel detected - %{listnum->} %{protocol->} from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Tunnel detected"), | |
}), | |
]), | |
}); | |
var msg1390 = match({ | |
id: "MESSAGE#829:702302", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702302"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1391 = match({ | |
id: "MESSAGE#57:106001", | |
dissect: { | |
tokenizer: "%{direction->} %{protocol->} connection denied from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} flags %{fld1->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106001"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1392 = match({ | |
id: "MESSAGE#58:106001:01", | |
dissect: { | |
tokenizer: "%{direction->} %{protocol->} connection denied from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} flags %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106001:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select329 = linear_select([ | |
msg1391, | |
msg1392, | |
]); | |
var msg1393 = match({ | |
id: "MESSAGE#127:109006/0", | |
dissect: { | |
tokenizer: "Authentication failed for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all345 = all_match({ | |
processors: [ | |
msg1393, | |
dup61, | |
dup62, | |
], | |
on_success: processor_chain([ | |
dup16, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109006"), | |
}), | |
dup17, | |
dup18, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("authentication failure"), | |
}), | |
]), | |
}); | |
var msg1394 = match({ | |
id: "MESSAGE#263:213004", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("213004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1395 = match({ | |
id: "MESSAGE#458:324005", | |
dissect: { | |
tokenizer: "Unable to create tunnel from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Unable to create tunnel"), | |
}), | |
]), | |
}); | |
var msg1396 = match({ | |
id: "MESSAGE#1223:735005", | |
dissect: { | |
tokenizer: "Power Supply Unit Redundancy OK%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735005"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply Unit Redundancy OK"), | |
}), | |
]), | |
}); | |
var msg1397 = match({ | |
id: "MESSAGE#235:208005", | |
dissect: { | |
tokenizer: "(FUNCTION:%{fld1->}) pix clear %{fld2->} return %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("208005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1398 = match({ | |
id: "MESSAGE#434:318007", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1399 = match({ | |
id: "MESSAGE#454:324001", | |
dissect: { | |
tokenizer: "GTPv0 packet parsing error from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}, TID: %{fld1->}, Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTPv0 packet parsing error"), | |
}), | |
]), | |
}); | |
var msg1400 = match({ | |
id: "MESSAGE#499:400002", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1401 = match({ | |
id: "MESSAGE#482:338104/4", | |
dissect: { | |
tokenizer: "action%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1402 = match({ | |
id: "MESSAGE#482:338104/4", | |
dissect: { | |
tokenizer: "monitored%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select330 = linear_select([ | |
msg1401, | |
msg1402, | |
]); | |
var msg1403 = match({ | |
id: "MESSAGE#482:338104/4", | |
dissect: { | |
tokenizer: "%{->}whitelisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{hostip->} resolved from %{listnum->} list: %{info->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all346 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
dup230, | |
select330, | |
msg1403, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338104"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dynamic Filter monitored whitelisted traffic"), | |
}), | |
]), | |
}); | |
var msg1404 = match({ | |
id: "MESSAGE#1147:721003", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("721003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1405 = match({ | |
id: "MESSAGE#18:103006", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("103006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1406 = match({ | |
id: "MESSAGE#67:106009", | |
dissect: { | |
tokenizer: "Translation for %{saddr->} to %{daddr->}/%{dport->} denied by %{direction->} (destination is denied) %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106009"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup423, | |
]), | |
}); | |
var all347 = all_match({ | |
processors: [ | |
dup307, | |
dup443, | |
dup310, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302024"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup311, | |
]), | |
}); | |
var msg1407 = match({ | |
id: "MESSAGE#25:104004", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("104004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1408 = match({ | |
id: "MESSAGE#802:701001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("701001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1409 = match({ | |
id: "MESSAGE#1098:718044", | |
dissect: { | |
tokenizer: "Deleted peer %{space->} [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718044"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Deleted peer"), | |
}), | |
]), | |
}); | |
var msg1410 = match({ | |
id: "MESSAGE#828:702301", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702301"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1411 = match({ | |
id: "MESSAGE#986:714006", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->}: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714006"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1412 = match({ | |
id: "MESSAGE#987:714006:01", | |
dissect: { | |
tokenizer: "IKE Initiator sending 3rd QM pkt: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714006:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator sending 3rd QM pkt"), | |
}), | |
]), | |
}); | |
var select331 = linear_select([ | |
msg1411, | |
msg1412, | |
]); | |
var msg1413 = match({ | |
id: "MESSAGE#1038:715066", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup166, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715066"), | |
}), | |
dup7, | |
dup13, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg1414 = match({ | |
id: "MESSAGE#55:105046", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105046"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1415 = match({ | |
id: "MESSAGE#709:602104", | |
dissect: { | |
tokenizer: "%{product->}: Received an ICMP Destination Unreachable from %{saddr->},%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602104"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup395, | |
]), | |
}); | |
var msg1416 = match({ | |
id: "MESSAGE#742:606003", | |
dissect: { | |
tokenizer: "ASDM logging session number %{sessionid->} from %{hostip->} started %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ASDM loggingsession started"), | |
}), | |
]), | |
}); | |
var msg1417 = match({ | |
id: "MESSAGE#765:611309", | |
dissect: { | |
tokenizer: "VPNClient: Disconnecting from head end and uninstalling previously downloaded policy: Head End : %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611309"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("head end disconnect"), | |
}), | |
]), | |
}); | |
var msg1418 = match({ | |
id: "MESSAGE#571:403102", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} rcvd pkt with invalid protocol: %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403102"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1419 = match({ | |
id: "MESSAGE#834:709001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("709001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1420 = match({ | |
id: "MESSAGE#1092:718022", | |
dissect: { | |
tokenizer: "Received KEEPALIVE request from [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718022"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received KEEPALIVE request"), | |
}), | |
]), | |
}); | |
var msg1421 = match({ | |
id: "MESSAGE#62:106006", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{protocol->} from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106006"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1422 = match({ | |
id: "MESSAGE#63:106006:01", | |
dissect: { | |
tokenizer: "Deny %{direction->} %{protocol->} from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106006:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var select332 = linear_select([ | |
msg1421, | |
msg1422, | |
]); | |
var msg1423 = match({ | |
id: "MESSAGE#88:106020", | |
dissect: { | |
tokenizer: "Deny IP teardrop fragment (size = %{fld1->}, offset = %{fld2->}) from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106020"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied IP teardrop fragment"), | |
}), | |
]), | |
}); | |
var msg1424 = match({ | |
id: "MESSAGE#406:313001", | |
dissect: { | |
tokenizer: "Denied ICMP type=%{icmptype->}, code=%{icmpcode->} from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup359, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("313001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup259, | |
dup196, | |
]), | |
}); | |
var msg1425 = match({ | |
id: "MESSAGE#516:400019", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400019"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1426 = match({ | |
id: "MESSAGE#946:713236/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} IKE_DECODE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1427 = match({ | |
id: "MESSAGE#946:713236/2", | |
dissect: { | |
tokenizer: "%{space->} IKE_DECODE %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select333 = linear_select([ | |
msg1426, | |
msg1427, | |
]); | |
var msg1428 = match({ | |
id: "MESSAGE#946:713236/3", | |
dissect: { | |
tokenizer: "SENDING%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1429 = match({ | |
id: "MESSAGE#946:713236/3", | |
dissect: { | |
tokenizer: "RECEIVED%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1430 = match({ | |
id: "MESSAGE#946:713236/3", | |
dissect: { | |
tokenizer: "RESENDING%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select334 = linear_select([ | |
msg1428, | |
msg1429, | |
msg1430, | |
]); | |
var msg1431 = match({ | |
id: "MESSAGE#946:713236/3", | |
dissect: { | |
tokenizer: "%{->}Message", | |
field: "nwparser.p2", | |
}, | |
}); | |
var all348 = all_match({ | |
processors: [ | |
dup44, | |
select333, | |
select334, | |
msg1431, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713236"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE_DECODE Message"), | |
}), | |
]), | |
}); | |
var msg1432 = match({ | |
id: "MESSAGE#1169:722033/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > First %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1433 = match({ | |
id: "MESSAGE#1169:722033/3", | |
dissect: { | |
tokenizer: "%{saddr->} > First %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select335 = linear_select([ | |
msg1432, | |
msg1433, | |
]); | |
var msg1434 = match({ | |
id: "MESSAGE#1169:722033/4", | |
dissect: { | |
tokenizer: "SVC connection established for SVC session.%{->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all349 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select335, | |
dup268, | |
msg1434, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722033"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup444, | |
]), | |
}); | |
var msg1435 = match({ | |
id: "MESSAGE#251:210022", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210022"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1436 = match({ | |
id: "MESSAGE#826:702212:01/2", | |
dissect: { | |
tokenizer: "%{->}rekey (local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all350 = all_match({ | |
processors: [ | |
dup445, | |
dup446, | |
msg1436, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702212:01"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup14, | |
dup2, | |
dup3, | |
dup447, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1437 = match({ | |
id: "MESSAGE#827:702212/2", | |
dissect: { | |
tokenizer: "%{->}rekey (local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all351 = all_match({ | |
processors: [ | |
dup445, | |
dup446, | |
msg1437, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702212"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup2, | |
dup3, | |
dup447, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select336 = linear_select([ | |
all350, | |
all351, | |
]); | |
var msg1438 = match({ | |
id: "MESSAGE#866:713049/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Security negotiation complete for %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1439 = match({ | |
id: "MESSAGE#866:713049/4", | |
dissect: { | |
tokenizer: "LAN-to-LAN Group%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select337 = linear_select([ | |
msg1439, | |
dup448, | |
]); | |
var msg1440 = match({ | |
id: "MESSAGE#866:713049/4", | |
dissect: { | |
tokenizer: "%{->}(%{fld1->}) %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1441 = match({ | |
id: "MESSAGE#866:713049/6", | |
dissect: { | |
tokenizer: "Initiato%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1442 = match({ | |
id: "MESSAGE#866:713049/6", | |
dissect: { | |
tokenizer: "Responde%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select338 = linear_select([ | |
msg1441, | |
msg1442, | |
]); | |
var msg1443 = match({ | |
id: "MESSAGE#866:713049/6", | |
dissect: { | |
tokenizer: "r , Inbound SPI = %{src_spi->}, Outbound SPI = %{dst_spi->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all352 = all_match({ | |
processors: [ | |
dup9, | |
dup365, | |
msg1438, | |
select337, | |
msg1440, | |
select338, | |
msg1443, | |
], | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713049"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security negotiation complete"), | |
}), | |
]), | |
}); | |
var msg1444 = match({ | |
id: "MESSAGE#881:713092", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713092"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1445 = match({ | |
id: "MESSAGE#892:713127", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Xauth required but selected Proposal does not support xauth, %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713127"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Xauth required but selected Proposal does not support xauth"), | |
}), | |
]), | |
}); | |
var msg1446 = match({ | |
id: "MESSAGE#1093:718023", | |
dissect: { | |
tokenizer: "Received KEEPALIVE response from [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718023"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received KEEPALIVE response"), | |
}), | |
]), | |
}); | |
var msg1447 = match({ | |
id: "MESSAGE#1266:750006", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} SA UP. Reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("750006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SA UP"), | |
}), | |
]), | |
}); | |
var msg1448 = match({ | |
id: "MESSAGE#1305:717043", | |
dissect: { | |
tokenizer: "Local CA Server certificate enrollment related info for user: %{username->}. Info: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717043"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup5, | |
]), | |
}); | |
var msg1449 = match({ | |
id: "MESSAGE#87:106019", | |
dissect: { | |
tokenizer: "IP packet from %{saddr->} to %{daddr->}, protocol %{protocol->} received from interface \"%{interface->}\" %{space->} deny by access-group \"%{fld1->}\"", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106019"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by acces-group"), | |
}), | |
]), | |
}); | |
var msg1450 = match({ | |
id: "MESSAGE#680:502101/0", | |
dissect: { | |
tokenizer: "New user added to local dbase: Uname: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all353 = all_match({ | |
processors: [ | |
msg1450, | |
dup215, | |
dup216, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402020200"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("502101"), | |
}), | |
dup17, | |
dup164, | |
dup217, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("New user added to local DB"), | |
}), | |
]), | |
}); | |
var msg1451 = match({ | |
id: "MESSAGE#928:713211", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->},%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713211"), | |
}), | |
dup7, | |
dup164, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Adding static router for peer"), | |
}), | |
]), | |
}); | |
var msg1452 = match({ | |
id: "MESSAGE#954:713900:02", | |
dissect: { | |
tokenizer: "ike_DelOldCentryAndCreateNew(): %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713900:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ike_DelOldCentryAndCreateNew mismatch"), | |
}), | |
]), | |
}); | |
var msg1453 = match({ | |
id: "MESSAGE#955:713900/2", | |
dissect: { | |
tokenizer: "%{info->}(): %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all354 = all_match({ | |
processors: [ | |
dup44, | |
dup280, | |
msg1453, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713900"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1454 = match({ | |
id: "MESSAGE#956:713900:01", | |
dissect: { | |
tokenizer: "Unable to contruct xauth message, no message%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713900:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select339 = linear_select([ | |
msg1452, | |
all354, | |
msg1454, | |
]); | |
var msg1455 = match({ | |
id: "MESSAGE#784:613002", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("613002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1456 = match({ | |
id: "MESSAGE#930:713214", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713214"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1457 = match({ | |
id: "MESSAGE#1047:716003/2", | |
dissect: { | |
tokenizer: "%{saddr->}> %{network_service->} access GRANTED: %{url->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all355 = all_match({ | |
processors: [ | |
dup77, | |
dup78, | |
msg1457, | |
], | |
on_success: processor_chain([ | |
dup67, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716003"), | |
}), | |
dup7, | |
dup18, | |
dup17, | |
dup106, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("WebVPN access GRANTED"), | |
}), | |
]), | |
}); | |
var msg1458 = match({ | |
id: "MESSAGE#1120:720024", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720024"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1459 = match({ | |
id: "MESSAGE#806:702202:01/2", | |
dissect: { | |
tokenizer: "%{->}sent (local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all356 = all_match({ | |
processors: [ | |
dup88, | |
dup89, | |
msg1459, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702202:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup449, | |
]), | |
}); | |
var msg1460 = match({ | |
id: "MESSAGE#807:702202/2", | |
dissect: { | |
tokenizer: "%{->}sent (local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all357 = all_match({ | |
processors: [ | |
dup88, | |
dup89, | |
msg1460, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702202"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup449, | |
]), | |
}); | |
var select340 = linear_select([ | |
all356, | |
all357, | |
]); | |
var msg1461 = match({ | |
id: "MESSAGE#1309:202010/1", | |
dissect: { | |
tokenizer: "P%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1462 = match({ | |
id: "MESSAGE#1309:202010/1", | |
dissect: { | |
tokenizer: "N%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select341 = linear_select([ | |
msg1461, | |
msg1462, | |
]); | |
var msg1463 = match({ | |
id: "MESSAGE#1309:202010/1", | |
dissect: { | |
tokenizer: "AT pool exhausted. Unable to create %{protocol->} connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var all358 = all_match({ | |
processors: [ | |
select341, | |
msg1463, | |
], | |
on_success: processor_chain([ | |
dup359, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202010"), | |
}), | |
dup43, | |
dup99, | |
dup102, | |
dup87, | |
dup2, | |
dup3, | |
dup5, | |
]), | |
}); | |
var msg1464 = match({ | |
id: "MESSAGE#507:400010", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1465 = match({ | |
id: "MESSAGE#658:420003", | |
dissect: { | |
tokenizer: "IPS requested to reset %{protocol->} connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("420003"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IPS request to reset connection"), | |
}), | |
]), | |
}); | |
var msg1466 = match({ | |
id: "MESSAGE#1174:722043/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > DTLS disabled: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1467 = match({ | |
id: "MESSAGE#1174:722043/3", | |
dissect: { | |
tokenizer: "%{saddr->} > DTLS disabled: %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select342 = linear_select([ | |
msg1466, | |
msg1467, | |
]); | |
var all359 = all_match({ | |
processors: [ | |
dup181, | |
dup182, | |
select342, | |
dup438, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722043"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DTLS disabled"), | |
}), | |
]), | |
}); | |
var msg1468 = match({ | |
id: "MESSAGE#1199:725011", | |
dissect: { | |
tokenizer: "%{action->}[%{fld1->}] : %{encryption_type->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1469 = match({ | |
id: "MESSAGE#414:315002/0", | |
dissect: { | |
tokenizer: "Permitted SSH session from %{saddr->} on interface %{interface->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all360 = all_match({ | |
processors: [ | |
msg1469, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("315002"), | |
}), | |
dup17, | |
dup106, | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Permitted session"), | |
}), | |
]), | |
}); | |
var msg1470 = match({ | |
id: "MESSAGE#979:714001", | |
dissect: { | |
tokenizer: "OBSOLETE DESCRIPTOR - INDEX %{dclass_counter1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714001"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("OBSOLETE DESCRIPTOR"), | |
}), | |
]), | |
}); | |
var msg1471 = match({ | |
id: "MESSAGE#1061:716059", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> AnyConnect session resumed connection from IP \u003c\u003c%{hostip->}>", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716059"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect session resumed connection"), | |
}), | |
]), | |
}); | |
var msg1472 = match({ | |
id: "MESSAGE#456:324003", | |
dissect: { | |
tokenizer: "No matching request to process GTPv %{fld2->} %{fld3->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("324003"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("No matching GTP request"), | |
}), | |
]), | |
}); | |
var msg1473 = match({ | |
id: "MESSAGE#518:400021", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400021"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1474 = match({ | |
id: "MESSAGE#523:400026", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup109, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400026"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1475 = match({ | |
id: "MESSAGE#605:409003/0", | |
dissect: { | |
tokenizer: "%{->}Receive%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1476 = match({ | |
id: "MESSAGE#605:409003/2", | |
dissect: { | |
tokenizer: "%{->}invalid packet: %{result->} from %{saddr->}, %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all361 = all_match({ | |
processors: [ | |
msg1475, | |
dup89, | |
msg1476, | |
], | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1477 = match({ | |
id: "MESSAGE#479:338101/2", | |
dissect: { | |
tokenizer: "ilter %{action->} whitelisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), source %{fld1->} resolved from %{fld2->} list:%{web_domain->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all362 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1477, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338101"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all363 = all_match({ | |
processors: [ | |
dup44, | |
dup266, | |
dup322, | |
dup323, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("411004"), | |
}), | |
dup38, | |
dup13, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1478 = match({ | |
id: "MESSAGE#1081:717033", | |
dissect: { | |
tokenizer: "%{application->} response received.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717033"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("application response received"), | |
}), | |
]), | |
}); | |
var msg1479 = match({ | |
id: "MESSAGE#1127:722034", | |
dissect: { | |
tokenizer: "Group %{group->} User %{username->} IP %{saddr->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722034"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1480 = match({ | |
id: "MESSAGE#134:109013", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1481 = match({ | |
id: "MESSAGE#1051:716023/1", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> Session could not be established: session limit of maximum_sessions reached", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1482 = match({ | |
id: "MESSAGE#1051:716023/1", | |
dissect: { | |
tokenizer: "'%{username->}' Session could not be established: session limit of maximum_sessions reached", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1483 = match({ | |
id: "MESSAGE#1051:716023/1", | |
dissect: { | |
tokenizer: "%{username->} Session could not be established: session limit of maximum_sessions reached", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select343 = linear_select([ | |
msg1481, | |
msg1482, | |
msg1483, | |
]); | |
var all364 = all_match({ | |
processors: [ | |
dup77, | |
select343, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716023"), | |
}), | |
dup18, | |
dup17, | |
dup106, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session could not be established"), | |
}), | |
]), | |
}); | |
var msg1484 = match({ | |
id: "MESSAGE#1065:717004", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1485 = match({ | |
id: "MESSAGE#1222:735004", | |
dissect: { | |
tokenizer: "Power Supply %{dclass_counter1->}: Failure Detected", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("735004"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Power Supply Failure detected"), | |
}), | |
]), | |
}); | |
var msg1486 = match({ | |
id: "MESSAGE#91:106023/0", | |
dissect: { | |
tokenizer: "Deny protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} by access-group %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1487 = match({ | |
id: "MESSAGE#91:106023/2", | |
dissect: { | |
tokenizer: "\\%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select344 = linear_select([ | |
msg1487, | |
]); | |
var msg1488 = match({ | |
id: "MESSAGE#91:106023/2", | |
dissect: { | |
tokenizer: "\" %{rule_group->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1489 = match({ | |
id: "MESSAGE#91:106023/4", | |
dissect: { | |
tokenizer: "\\%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1490 = match({ | |
id: "MESSAGE#91:106023/4", | |
dissect: { | |
tokenizer: "%{->} %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select345 = linear_select([ | |
msg1489, | |
msg1490, | |
]); | |
var msg1491 = match({ | |
id: "MESSAGE#91:106023/4", | |
dissect: { | |
tokenizer: "\" %{->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all365 = all_match({ | |
processors: [ | |
msg1486, | |
select344, | |
msg1488, | |
select345, | |
msg1491, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup275, | |
]), | |
}); | |
var msg1492 = match({ | |
id: "MESSAGE#92:106023:01/0", | |
dissect: { | |
tokenizer: "Deny %{protocol->} src %{sinterface->}:%{saddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1493 = match({ | |
id: "MESSAGE#92:106023:01/2", | |
dissect: { | |
tokenizer: "%{sport->}(%{domain->}) dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select346 = linear_select([ | |
dup276, | |
msg1493, | |
dup277, | |
]); | |
var msg1494 = match({ | |
id: "MESSAGE#92:106023:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1495 = match({ | |
id: "MESSAGE#92:106023:01/4", | |
dissect: { | |
tokenizer: "%{dport->}(%{dhost->}) by access-group \"%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1496 = match({ | |
id: "MESSAGE#92:106023:01/4", | |
dissect: { | |
tokenizer: "%{dport->} by access-group \"%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select347 = linear_select([ | |
msg1495, | |
msg1496, | |
]); | |
var msg1497 = match({ | |
id: "MESSAGE#92:106023:01/4", | |
dissect: { | |
tokenizer: "%{rule_group->}\"", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all366 = all_match({ | |
processors: [ | |
msg1492, | |
select346, | |
msg1494, | |
select347, | |
msg1497, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup27, | |
dup275, | |
]), | |
}); | |
var msg1498 = match({ | |
id: "MESSAGE#93:106023:04/0", | |
dissect: { | |
tokenizer: "Deny %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1499 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "%{dport->}(%{domain->}\\%{username->}) by access-group %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1500 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "%{dport->}(%{fld2->}) by access-group %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1501 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "%{dport->} by access-group %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select348 = linear_select([ | |
msg1499, | |
msg1500, | |
msg1501, | |
]); | |
var msg1502 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "%{->}\"%{rule_group->}\" %{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1503 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "\"%{rule_group->}\"", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1504 = match({ | |
id: "MESSAGE#93:106023:04/2", | |
dissect: { | |
tokenizer: "%{rule_group->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select349 = linear_select([ | |
msg1502, | |
msg1503, | |
msg1504, | |
]); | |
var all367 = all_match({ | |
processors: [ | |
msg1498, | |
select348, | |
select349, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:04"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup27, | |
dup275, | |
]), | |
}); | |
var msg1505 = match({ | |
id: "MESSAGE#94:106023:02/0", | |
dissect: { | |
tokenizer: "Deny %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->}) by access-group %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all368 = all_match({ | |
processors: [ | |
msg1505, | |
dup274, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106023:02"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup275, | |
]), | |
}); | |
var select350 = linear_select([ | |
all365, | |
all366, | |
all367, | |
all368, | |
]); | |
var msg1506 = match({ | |
id: "MESSAGE#500:400003", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1507 = match({ | |
id: "MESSAGE#1089:718015", | |
dissect: { | |
tokenizer: "Received HELLO request from [%{saddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718015"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received HELLO request"), | |
}), | |
]), | |
}); | |
var msg1508 = match({ | |
id: "MESSAGE#1130:720037", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720037"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1509 = match({ | |
id: "MESSAGE#1257:746012", | |
dissect: { | |
tokenizer: "%{application->}: Add IP-User mapping %{saddr->} - %{domain->}\\%{username->} Succeeded - VPN user", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746012"), | |
}), | |
dup17, | |
dup106, | |
dup40, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("VPN user logon"), | |
}), | |
dup144, | |
]), | |
}); | |
var msg1510 = match({ | |
id: "MESSAGE#1258:746012:01", | |
dissect: { | |
tokenizer: "%{application->}: Add IP-User mapping %{saddr->} - %{domain->}\\%{username->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746012:01"), | |
}), | |
dup17, | |
dup106, | |
dup40, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup144, | |
]), | |
}); | |
var select351 = linear_select([ | |
msg1509, | |
msg1510, | |
]); | |
var msg1511 = match({ | |
id: "MESSAGE#387:321005", | |
dissect: { | |
tokenizer: "System CPU utilization reached %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup420, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1512 = match({ | |
id: "MESSAGE#509:400012", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400012"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1513 = match({ | |
id: "MESSAGE#646:415013", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Transfer encoding violation detected - %{listnum->} %{protocol->} Transfer encoding not allowed from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Transfer encoding violation detected"), | |
}), | |
]), | |
}); | |
var msg1514 = match({ | |
id: "MESSAGE#647:415014", | |
dissect: { | |
tokenizer: "%{sigid->} Maximum of 10 unanswered HTTP requests exceeded from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("Maximum of 10 unanswered HTTP requests exceeded"), | |
}), | |
]), | |
}); | |
var msg1515 = match({ | |
id: "MESSAGE#675:500002", | |
dissect: { | |
tokenizer: "Java content modified src %{saddr->} dest %{daddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("500002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1516 = match({ | |
id: "MESSAGE#139:109016/0", | |
dissect: { | |
tokenizer: "Downloaded authorization access-list %{listnum->} not found for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all369 = all_match({ | |
processors: [ | |
msg1516, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109016"), | |
}), | |
dup65, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access-list not found"), | |
}), | |
]), | |
}); | |
var msg1517 = match({ | |
id: "MESSAGE#140:109016:01/0", | |
dissect: { | |
tokenizer: "Can't find authorization ACL '%{listnum->}' on '%{interface->}' for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all370 = all_match({ | |
processors: [ | |
msg1517, | |
dup238, | |
], | |
on_success: processor_chain([ | |
dup86, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109016:01"), | |
}), | |
dup65, | |
dup87, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("authorization list not found for user"), | |
}), | |
]), | |
}); | |
var select352 = linear_select([ | |
all369, | |
all370, | |
]); | |
var msg1518 = match({ | |
id: "MESSAGE#344:302304", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} state-bypass connection %{connectionid->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->} %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302304"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown state-bypass connection"), | |
}), | |
]), | |
}); | |
var msg1519 = match({ | |
id: "MESSAGE#448:322004", | |
dissect: { | |
tokenizer: "No management IP address configured for transparent firewall. %{result->} from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("322004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No management IP address configured for transparent firewall"), | |
}), | |
]), | |
}); | |
var msg1520 = match({ | |
id: "MESSAGE#468:336010", | |
dissect: { | |
tokenizer: "%{group->}: %{fld1->} Neighbor %{saddr->} (%{interface->}) is %{event_state->}: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup375, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("336010"), | |
}), | |
dup376, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Neighbor state change"), | |
}), | |
]), | |
}); | |
var msg1521 = match({ | |
id: "MESSAGE#212:199907", | |
dissect: { | |
tokenizer: "IP detected an attached application using port %{network_port->} while removing context", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199907"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IP detected an attached application using port"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1522 = match({ | |
id: "MESSAGE#733:605001", | |
dissect: { | |
tokenizer: "HTTP daemon interface %{interface->}: connection denied from %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("605001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1523 = match({ | |
id: "MESSAGE#1281:713224", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Static Crypto Map Check by-passed: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713224"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup8, | |
]), | |
}); | |
var msg1524 = match({ | |
id: "MESSAGE#114:108003", | |
dissect: { | |
tokenizer: "Bad Checksum in %{network_service->} command", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108003"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Bad Checksum"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1525 = match({ | |
id: "MESSAGE#115:108003:01/0", | |
dissect: { | |
tokenizer: "Terminating %{network_service->} connection; malicious pattern detected in the %{space->} mail address from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}. %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1526 = match({ | |
id: "MESSAGE#115:108003:01/2", | |
dissect: { | |
tokenizer: "Mail Address%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1527 = match({ | |
id: "MESSAGE#115:108003:01/2", | |
dissect: { | |
tokenizer: "Data%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select353 = linear_select([ | |
msg1526, | |
msg1527, | |
]); | |
var msg1528 = match({ | |
id: "MESSAGE#115:108003:01/2", | |
dissect: { | |
tokenizer: "%{->}:%{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all371 = all_match({ | |
processors: [ | |
msg1525, | |
select353, | |
msg1528, | |
], | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108003:01"), | |
}), | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("EmailAddress"), | |
}), | |
dup99, | |
dup320, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection terminated"), | |
}), | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Malicious pattern detected in mail address"), | |
}), | |
]), | |
}); | |
var select354 = linear_select([ | |
msg1524, | |
all371, | |
]); | |
var msg1529 = match({ | |
id: "MESSAGE#557:402106", | |
dissect: { | |
tokenizer: "Rec'd packet not an IPSEC packet %{space->} (ip) dest_addr= %{daddr->}, src_addr= %{saddr->}, prot= %{protocol->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402106"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup409, | |
]), | |
}); | |
var msg1530 = match({ | |
id: "MESSAGE#1118:720020", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720020"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1531 = match({ | |
id: "MESSAGE#288:302009:01/0", | |
dissect: { | |
tokenizer: "Rebuilt %{protocol->} connection %{connectionid->} for f%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all372 = all_match({ | |
processors: [ | |
msg1531, | |
dup450, | |
dup451, | |
dup452, | |
dup453, | |
dup454, | |
dup455, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302009:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup456, | |
]), | |
}); | |
var msg1532 = match({ | |
id: "MESSAGE#289:302009/0", | |
dissect: { | |
tokenizer: "Rebuild connection for f%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all373 = all_match({ | |
processors: [ | |
msg1532, | |
dup450, | |
dup451, | |
dup452, | |
dup453, | |
dup454, | |
dup455, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302009"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup456, | |
]), | |
}); | |
var select355 = linear_select([ | |
all372, | |
all373, | |
]); | |
var msg1533 = match({ | |
id: "MESSAGE#613:409011", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1534 = match({ | |
id: "MESSAGE#1091:718021", | |
dissect: { | |
tokenizer: "Sent KEEPALIVE response to [%{daddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718021"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent KEEPALIVE response"), | |
}), | |
]), | |
}); | |
var msg1535 = match({ | |
id: "MESSAGE#334:302022", | |
dissect: { | |
tokenizer: "Built IP protocol %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->} (%{stransaddr->}) to %{dinterface->}:%{daddr->} (%{dtransaddr->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302022"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var msg1536 = match({ | |
id: "MESSAGE#335:302022:01/2", | |
dissect: { | |
tokenizer: "%{->}stub %{protocol->} connection for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all374 = all_match({ | |
processors: [ | |
dup307, | |
dup443, | |
msg1536, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302022:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup193, | |
]), | |
}); | |
var select356 = linear_select([ | |
msg1535, | |
all374, | |
]); | |
var msg1537 = match({ | |
id: "MESSAGE#845:710004", | |
dissect: { | |
tokenizer: "%{protocol->} connection limit exceeded from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{service->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1538 = match({ | |
id: "MESSAGE#1175:722047", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> Tunnel terminated: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722047"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel terminated"), | |
}), | |
]), | |
}); | |
var msg1539 = match({ | |
id: "MESSAGE#852:713014", | |
dissect: { | |
tokenizer: "IP = %{daddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713014"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1540 = match({ | |
id: "MESSAGE#1271:752002", | |
dissect: { | |
tokenizer: "Tunnel Manager Removed entry. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752002"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Tunnel Manager Removed entry"), | |
}), | |
]), | |
}); | |
var msg1541 = match({ | |
id: "MESSAGE#259:212006", | |
dissect: { | |
tokenizer: "Dropping %{protocol->} request from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->} because: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("212006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropping SNMP request"), | |
}), | |
]), | |
}); | |
var msg1542 = match({ | |
id: "MESSAGE#478:338008/2", | |
dissect: { | |
tokenizer: "ilter dropped blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{fld3->}/%{mask->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all375 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1542, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338008"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1543 = match({ | |
id: "MESSAGE#491:338305", | |
dissect: { | |
tokenizer: "Failed to download dynamic filter data file from updater server %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup338, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338305"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1544 = match({ | |
id: "MESSAGE#741:606002/2", | |
dissect: { | |
tokenizer: "DM session number %{sessionid->} from %{hostip->} ended", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all376 = all_match({ | |
processors: [ | |
dup44, | |
dup426, | |
msg1544, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("606002"), | |
}), | |
dup43, | |
dup137, | |
dup102, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("PDM/ASDM session ended"), | |
}), | |
]), | |
}); | |
var msg1545 = match({ | |
id: "MESSAGE#278:302004/4", | |
dissect: { | |
tokenizer: "%{->} %{saddr->}/%{sport->} to l%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all377 = all_match({ | |
processors: [ | |
dup114, | |
dup115, | |
dup457, | |
dup458, | |
msg1545, | |
dup454, | |
dup455, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302004"), | |
}), | |
dup42, | |
dup43, | |
dup3, | |
dup40, | |
dup4, | |
dup5, | |
dup116, | |
]), | |
}); | |
var msg1546 = match({ | |
id: "MESSAGE#279:302004:01/4", | |
dissect: { | |
tokenizer: "%{->} %{saddr->} to l%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1547 = match({ | |
id: "MESSAGE#279:302004:01/6", | |
dissect: { | |
tokenizer: "%{->} %{p6->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var msg1548 = match({ | |
id: "MESSAGE#279:302004:01/7", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} ", | |
field: "nwparser.p6", | |
}, | |
}); | |
var msg1549 = match({ | |
id: "MESSAGE#279:302004:01/7", | |
dissect: { | |
tokenizer: "%{daddr->} ", | |
field: "nwparser.p6", | |
}, | |
}); | |
var select357 = linear_select([ | |
msg1548, | |
msg1549, | |
]); | |
var all378 = all_match({ | |
processors: [ | |
dup114, | |
dup115, | |
dup457, | |
dup458, | |
msg1546, | |
dup454, | |
msg1547, | |
select357, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302004:01"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup14, | |
dup3, | |
dup4, | |
dup5, | |
dup116, | |
]), | |
}); | |
var select358 = linear_select([ | |
all377, | |
all378, | |
]); | |
var msg1550 = match({ | |
id: "MESSAGE#701:506001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("506001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1551 = match({ | |
id: "MESSAGE#1052:716038/2", | |
dissect: { | |
tokenizer: "Authentication: successful, group =%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1552 = match({ | |
id: "MESSAGE#1052:716038/2", | |
dissect: { | |
tokenizer: "Group%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select359 = linear_select([ | |
msg1551, | |
msg1552, | |
]); | |
var msg1553 = match({ | |
id: "MESSAGE#1052:716038/2", | |
dissect: { | |
tokenizer: "%{->}\u003c\u003c%{group->}> %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1554 = match({ | |
id: "MESSAGE#1052:716038/4", | |
dissect: { | |
tokenizer: "user =%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select360 = linear_select([ | |
dup448, | |
msg1554, | |
]); | |
var msg1555 = match({ | |
id: "MESSAGE#1052:716038/6", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1556 = match({ | |
id: "MESSAGE#1052:716038/6", | |
dissect: { | |
tokenizer: "'%{username->}' IP %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var msg1557 = match({ | |
id: "MESSAGE#1052:716038/6", | |
dissect: { | |
tokenizer: "%{username->} IP %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}); | |
var select361 = linear_select([ | |
msg1555, | |
msg1556, | |
msg1557, | |
]); | |
var msg1558 = match({ | |
id: "MESSAGE#1052:716038/7", | |
dissect: { | |
tokenizer: "= \u003c\u003c%{saddr->}> %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var msg1559 = match({ | |
id: "MESSAGE#1052:716038/9", | |
dissect: { | |
tokenizer: "%{space->}Authentication: successful%{p8->}", | |
field: "nwparser.p7", | |
}, | |
}); | |
var select362 = linear_select([ | |
msg1559, | |
]); | |
var msg1560 = match({ | |
id: "MESSAGE#1052:716038/9", | |
dissect: { | |
tokenizer: ", Session Type : %{network_service->}", | |
field: "nwparser.p8", | |
}, | |
}); | |
var all379 = all_match({ | |
processors: [ | |
dup44, | |
select359, | |
msg1553, | |
select360, | |
dup120, | |
select361, | |
dup254, | |
msg1558, | |
select362, | |
msg1560, | |
], | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716038"), | |
}), | |
dup18, | |
dup17, | |
dup99, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1561 = match({ | |
id: "MESSAGE#1191:725006:01", | |
dissect: { | |
tokenizer: "Device failed SSL handshake with client %{interface->}:%{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup459, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725006:01"), | |
}), | |
dup2, | |
dup3, | |
dup460, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1562 = match({ | |
id: "MESSAGE#1192:725006", | |
dissect: { | |
tokenizer: "Device failed SSL handshake with %{interface->}:%{hostip->}/%{network_port->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup459, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725006"), | |
}), | |
dup2, | |
dup3, | |
dup460, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select363 = linear_select([ | |
msg1561, | |
msg1562, | |
]); | |
var msg1563 = match({ | |
id: "MESSAGE#72:106011", | |
dissect: { | |
tokenizer: "Deny %{direction->} (No xlate) protocol %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106011"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1564 = match({ | |
id: "MESSAGE#73:106011:01", | |
dissect: { | |
tokenizer: "Deny %{direction->} (No xlate) %{protocol->} src %{sinterface->}:%{saddr->}/%{sport->} dst %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106011:01"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1565 = match({ | |
id: "MESSAGE#74:106011:02", | |
dissect: { | |
tokenizer: "Deny %{direction->} (No xlate) %{protocol->} src %{sinterface->}:%{saddr->} dst %{dinterface->}:%{daddr->} (type %{icmptype->}, code %{icmpcode->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106011:02"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
]), | |
}); | |
var msg1566 = match({ | |
id: "MESSAGE#75:106011:03", | |
dissect: { | |
tokenizer: "Deny %{direction->} (No xlate)", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106011:03"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select364 = linear_select([ | |
msg1563, | |
msg1564, | |
msg1565, | |
msg1566, | |
]); | |
var msg1567 = match({ | |
id: "MESSAGE#628:413002", | |
dissect: { | |
tokenizer: "Module in slot%{fld1->}is not able to reload.%{space->}Module Error:%{fld2->} %{data->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("413002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1568 = match({ | |
id: "MESSAGE#1073:717022", | |
dissect: { | |
tokenizer: "Certificate was successfully validated. %{result->} serial number: %{serial_number->}, subject name: %{cert_subject->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup292, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717022"), | |
}), | |
dup293, | |
dup38, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Certificate successfully validated"), | |
}), | |
]), | |
}); | |
var msg1569 = match({ | |
id: "MESSAGE#205:199004", | |
dissect: { | |
tokenizer: "PIX clear config %{fld1->} from %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("clear config"), | |
}), | |
]), | |
}); | |
var msg1570 = match({ | |
id: "MESSAGE#566:402125", | |
dissect: { | |
tokenizer: "CRYPTO: The %{product->} timed out (%{info->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup355, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402125"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("hardware accelerator Ipsec ring timed out"), | |
}), | |
]), | |
}); | |
var msg1571 = match({ | |
id: "MESSAGE#846:710005", | |
dissect: { | |
tokenizer: "%{protocol->} request discarded from %{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{service->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710005"), | |
}), | |
dup42, | |
dup43, | |
dup99, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
dup27, | |
dup271, | |
]), | |
}); | |
var msg1572 = match({ | |
id: "MESSAGE#865:713048/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , Error processing payload: Payload ID: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1573 = match({ | |
id: "MESSAGE#865:713048/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , Error processing payload: Payload ID: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select365 = linear_select([ | |
msg1572, | |
msg1573, | |
]); | |
var all380 = all_match({ | |
processors: [ | |
dup44, | |
select365, | |
dup316, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713048"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Error processing payload"), | |
}), | |
]), | |
}); | |
var msg1574 = match({ | |
id: "MESSAGE#323:302018", | |
dissect: { | |
tokenizer: "Teardown GRE connection %{connectionid->} from %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->}/%{dport->} duration %{duration->} bytes %{bytes->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302018"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup149, | |
set_field({ | |
dest: "nwparser.protocol", | |
value: constant("GRE"), | |
}), | |
]), | |
}); | |
var msg1575 = match({ | |
id: "MESSAGE#766:611310", | |
dissect: { | |
tokenizer: "VPNClient: XAUTH Succeeded: Peer: %{saddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup63, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611310"), | |
}), | |
dup7, | |
dup18, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("XAUTH Succeeded"), | |
}), | |
]), | |
}); | |
var msg1576 = match({ | |
id: "MESSAGE#1205:726001", | |
dissect: { | |
tokenizer: "Inspected %{im_client->} %{info->} Session between Client %{im_userid->} and %{im_buddyid->} Packet flow from %{sinterface->}:/%{saddr->}/%{sport->} to %{dinterface->}:/%{daddr->}/%{dport->} Action: %{action->} Matched Class %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("726001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1577 = match({ | |
id: "MESSAGE#1111:720002", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720002"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1578 = match({ | |
id: "MESSAGE#1159:722020/0", | |
dissect: { | |
tokenizer: "TunnelGroup \u003c\u003c %{group_object->} > GroupPolicy \u003c\u003c %{group->} > User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1579 = match({ | |
id: "MESSAGE#1159:722020/2", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld2->}) > No address available for SVC connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1580 = match({ | |
id: "MESSAGE#1159:722020/2", | |
dissect: { | |
tokenizer: "%{saddr->} > No address available for SVC connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select366 = linear_select([ | |
msg1579, | |
msg1580, | |
]); | |
var all381 = all_match({ | |
processors: [ | |
msg1578, | |
dup182, | |
select366, | |
], | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722020"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No address available for SVC connection"), | |
}), | |
]), | |
}); | |
var msg1581 = match({ | |
id: "MESSAGE#535:400038", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup52, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400038"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1582 = match({ | |
id: "MESSAGE#744:607001", | |
dissect: { | |
tokenizer: "Pre-allocate SIP %{fld1->} secondary channel for %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->} from %{info->} message", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("607001"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1583 = match({ | |
id: "MESSAGE#757:611301", | |
dissect: { | |
tokenizer: "VPNClient: NAT configured for Client Mode with no split %{space->} tunneling: NAT addr: %{stransaddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup126, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611301"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup127, | |
]), | |
}); | |
var msg1584 = match({ | |
id: "MESSAGE#763:611307", | |
dissect: { | |
tokenizer: "VPNClient: Head end : %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("611307"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1585 = match({ | |
id: "MESSAGE#1139:720048", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720048"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1586 = match({ | |
id: "MESSAGE#1255:746002", | |
dissect: { | |
tokenizer: "%{application->}: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746002"), | |
}), | |
dup3, | |
]), | |
}); | |
var msg1587 = match({ | |
id: "MESSAGE#113:108002", | |
dissect: { | |
tokenizer: "SMTP replaced %{fld1->}: out %{saddr->} in %{daddr->} data: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup256, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("108002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1588 = match({ | |
id: "MESSAGE#231:202003", | |
dissect: { | |
tokenizer: "Could not build translation for %{saddr->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("202003"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1589 = match({ | |
id: "MESSAGE#538:400041", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup74, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400041"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1590 = match({ | |
id: "MESSAGE#781:612002/0", | |
dissect: { | |
tokenizer: "Auto Update failed: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1591 = match({ | |
id: "MESSAGE#781:612002/2", | |
dissect: { | |
tokenizer: "'%{username->}' , version:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1592 = match({ | |
id: "MESSAGE#781:612002/2", | |
dissect: { | |
tokenizer: "%{username->} , version:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select367 = linear_select([ | |
msg1591, | |
msg1592, | |
]); | |
var msg1593 = match({ | |
id: "MESSAGE#781:612002/2", | |
dissect: { | |
tokenizer: "%{version->}, reason:%{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all382 = all_match({ | |
processors: [ | |
msg1590, | |
select367, | |
msg1593, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("612002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1594 = match({ | |
id: "MESSAGE#428:318001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1595 = match({ | |
id: "MESSAGE#1070:717009/0", | |
dissect: { | |
tokenizer: "%{event_description->} serial number: %{serial_number->}, subject name: %{cert_subject->}, issuer name: %{dn->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select368 = linear_select([ | |
msg1595, | |
dup141, | |
]); | |
var all383 = all_match({ | |
processors: [ | |
select368, | |
], | |
on_success: processor_chain([ | |
dup160, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717009"), | |
}), | |
dup11, | |
dup293, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1596 = match({ | |
id: "MESSAGE#1129:720036", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720036"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1597 = match({ | |
id: "MESSAGE#662:421004", | |
dissect: { | |
tokenizer: "Failed to inject TCP packet from %{saddr->}/%{sport->} to %{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("421004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("failed to inject TCP packet"), | |
}), | |
]), | |
}); | |
var msg1598 = match({ | |
id: "MESSAGE#730:604102", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("604102"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1599 = match({ | |
id: "MESSAGE#880:713076/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1600 = match({ | |
id: "MESSAGE#880:713076/1", | |
dissect: { | |
tokenizer: "%{->}Group = %{group->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select369 = linear_select([ | |
msg1599, | |
msg1600, | |
]); | |
var msg1601 = match({ | |
id: "MESSAGE#880:713076/1", | |
dissect: { | |
tokenizer: "%{event_description->} from %{fld1->} to %{fld2->} kbs ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select370 = linear_select([ | |
msg1601, | |
dup304, | |
]); | |
var all384 = all_match({ | |
processors: [ | |
select369, | |
select370, | |
], | |
on_success: processor_chain([ | |
dup244, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713076"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1602 = match({ | |
id: "MESSAGE#1055:716041", | |
dissect: { | |
tokenizer: "access-list %{listnum->} permit url %{url->} hit-cnt %{dclass_counter1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716041"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup203, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access-list permit url"), | |
}), | |
]), | |
}); | |
var msg1603 = match({ | |
id: "MESSAGE#588:405001/0", | |
dissect: { | |
tokenizer: "%{event_description->} from %{saddr->}/%{smacaddr->} on interface inside with existing ARP entry %{fld1->}/%{fld2->} ", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select371 = linear_select([ | |
msg1603, | |
dup141, | |
]); | |
var all385 = all_match({ | |
processors: [ | |
select371, | |
], | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("405001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1604 = match({ | |
id: "MESSAGE#793:617002/0", | |
dissect: { | |
tokenizer: "Removing v1 %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1605 = match({ | |
id: "MESSAGE#793:617002/2", | |
dissect: { | |
tokenizer: "prim%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1606 = match({ | |
id: "MESSAGE#793:617002/2", | |
dissect: { | |
tokenizer: "second%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select372 = linear_select([ | |
msg1605, | |
msg1606, | |
]); | |
var msg1607 = match({ | |
id: "MESSAGE#793:617002/2", | |
dissect: { | |
tokenizer: "ary PDP Context with TID %{fld1->} from GGSN %{fld2->} and SGSN %{fld3->}, Reason: %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all386 = all_match({ | |
processors: [ | |
msg1604, | |
select372, | |
msg1607, | |
], | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1608 = match({ | |
id: "MESSAGE#794:617002:01", | |
dissect: { | |
tokenizer: "Removing v1 PDP Context with TID %{fld1->} from GGSN %{fld2->} and SGSN %{fld3->}, Reason: %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup157, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select373 = linear_select([ | |
all386, | |
msg1608, | |
]); | |
var msg1609 = match({ | |
id: "MESSAGE#893:713128", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713128"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup461, | |
]), | |
}); | |
var msg1610 = match({ | |
id: "MESSAGE#894:713128:01", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup94, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713128:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup461, | |
]), | |
}); | |
var select374 = linear_select([ | |
msg1609, | |
msg1610, | |
]); | |
var msg1611 = match({ | |
id: "MESSAGE#268:216005", | |
dissect: { | |
tokenizer: "%{severity->}: Duplex-mismatch on %{service->} resulted in transmitter lockup. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("216005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant(" Duplex-mismatch resulted in transmitter lockup."), | |
}), | |
]), | |
}); | |
var msg1612 = match({ | |
id: "MESSAGE#522:400025", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400025"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1613 = match({ | |
id: "MESSAGE#528:400031", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400031"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1614 = match({ | |
id: "MESSAGE#574:403106", | |
dissect: { | |
tokenizer: "PPP virtual interface %{interface->} requires RADIUS for MPPE", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403106"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1615 = match({ | |
id: "MESSAGE#54:105045/0", | |
dissect: { | |
tokenizer: "(%{context->}) Mate license (%{fld1->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1616 = match({ | |
id: "MESSAGE#54:105045/2", | |
dissect: { | |
tokenizer: "Contexts%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1617 = match({ | |
id: "MESSAGE#54:105045/2", | |
dissect: { | |
tokenizer: "contexts%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1618 = match({ | |
id: "MESSAGE#54:105045/2", | |
dissect: { | |
tokenizer: "Enabled%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select375 = linear_select([ | |
msg1616, | |
msg1617, | |
msg1618, | |
]); | |
var msg1619 = match({ | |
id: "MESSAGE#54:105045/2", | |
dissect: { | |
tokenizer: "%{->}) is not compatible with my license (%{fld2->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1620 = match({ | |
id: "MESSAGE#54:105045/4", | |
dissect: { | |
tokenizer: "Contexts%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1621 = match({ | |
id: "MESSAGE#54:105045/4", | |
dissect: { | |
tokenizer: "contexts%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var msg1622 = match({ | |
id: "MESSAGE#54:105045/4", | |
dissect: { | |
tokenizer: "Disabled%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var select376 = linear_select([ | |
msg1620, | |
msg1621, | |
msg1622, | |
]); | |
var msg1623 = match({ | |
id: "MESSAGE#54:105045/4", | |
dissect: { | |
tokenizer: "%{->}).", | |
field: "nwparser.p3", | |
}, | |
}); | |
var all387 = all_match({ | |
processors: [ | |
msg1615, | |
select375, | |
msg1619, | |
select376, | |
msg1623, | |
], | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105045"), | |
}), | |
dup38, | |
dup39, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Mate license is not compatible"), | |
}), | |
]), | |
}); | |
var msg1624 = match({ | |
id: "MESSAGE#1005:715033", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Processing CONNECTED notify (MsgId %{fld1->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup83, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715033"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup245, | |
]), | |
}); | |
var msg1625 = match({ | |
id: "MESSAGE#699:505014", | |
dissect: { | |
tokenizer: "%{product->} Module in slot %{fld1->}, application down \"%{application->}\", %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("505014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1626 = match({ | |
id: "MESSAGE#875:713072/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Password for user (%{fld1->}) too long, %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all388 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1626, | |
], | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1402040101"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713072"), | |
}), | |
dup7, | |
dup17, | |
set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Password"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Password for user "), | |
}), | |
]), | |
}); | |
var all389 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713199"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1627 = match({ | |
id: "MESSAGE#1131:720038", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->} (function=%{fld1->}, line=%{fld2->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720038"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1628 = match({ | |
id: "MESSAGE#4:101005", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("101005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1629 = match({ | |
id: "MESSAGE#177:113001:01/0", | |
dissect: { | |
tokenizer: "Unable to open AAA session. Session limit %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1630 = match({ | |
id: "MESSAGE#177:113001:01/2", | |
dissect: { | |
tokenizer: "%{fld1->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select377 = linear_select([ | |
msg1630, | |
]); | |
var msg1631 = match({ | |
id: "MESSAGE#177:113001:01/2", | |
dissect: { | |
tokenizer: "reached. %{->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all390 = all_match({ | |
processors: [ | |
msg1629, | |
select377, | |
msg1631, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session limit reached"), | |
}), | |
]), | |
}); | |
var msg1632 = match({ | |
id: "MESSAGE#178:113001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select378 = linear_select([ | |
all390, | |
msg1632, | |
]); | |
var msg1633 = match({ | |
id: "MESSAGE#348:303003", | |
dissect: { | |
tokenizer: "FTP %{action->} command denied, terminating connection from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("303003"), | |
}), | |
dup42, | |
dup43, | |
dup19, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("command denied"), | |
}), | |
]), | |
}); | |
var msg1634 = match({ | |
id: "MESSAGE#570:403101", | |
dissect: { | |
tokenizer: "PPTP session state not established, but received an XGRE packet, tunnel_id=%{fld1->}, session_id=%{sessionid->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("403101"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1635 = match({ | |
id: "MESSAGE#1253:742004", | |
dissect: { | |
tokenizer: "failed to sync master key for password encryption, reason=%{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("742004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("failed to sync master key for password encryption"), | |
}), | |
]), | |
}); | |
var msg1636 = match({ | |
id: "MESSAGE#908:713147", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{result->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713147"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup428, | |
]), | |
}); | |
var msg1637 = match({ | |
id: "MESSAGE#941:713229", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713229"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Notification to client of update string"), | |
}), | |
]), | |
}); | |
var msg1638 = match({ | |
id: "MESSAGE#443:321003", | |
dissect: { | |
tokenizer: "Resource %{fld1->} log level of %{fld2->} reached.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("321003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1639 = match({ | |
id: "MESSAGE#529:400032", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup113, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400032"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1640 = match({ | |
id: "MESSAGE#795:617003", | |
dissect: { | |
tokenizer: "GTP Tunnel created from %{sinterface->}:%{saddr->}/%{sport->} to %{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup82, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("617003"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("GTP tunnel created"), | |
}), | |
]), | |
}); | |
var msg1641 = match({ | |
id: "MESSAGE#903:713137/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->} [%{fld1->}]", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all391 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
msg1641, | |
], | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713137"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1642 = match({ | |
id: "MESSAGE#904:713137:01", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{action->} refCnt [%{fld1->}] and tunnelCnt [%{fld2->}] -- deleting SA!", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713137:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select379 = linear_select([ | |
all391, | |
msg1642, | |
]); | |
var msg1643 = match({ | |
id: "MESSAGE#808:702203:01/2", | |
dissect: { | |
tokenizer: "%{->}out (local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all392 = all_match({ | |
processors: [ | |
dup462, | |
dup89, | |
msg1643, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702203:01"), | |
}), | |
dup7, | |
dup14, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup463, | |
]), | |
}); | |
var msg1644 = match({ | |
id: "MESSAGE#809:702203/2", | |
dissect: { | |
tokenizer: "%{->}out (local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all393 = all_match({ | |
processors: [ | |
dup462, | |
dup89, | |
msg1644, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702203"), | |
}), | |
dup7, | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup463, | |
]), | |
}); | |
var select380 = linear_select([ | |
all392, | |
all393, | |
]); | |
var msg1645 = match({ | |
id: "MESSAGE#1277:752016/0", | |
dissect: { | |
tokenizer: "IKEv%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1646 = match({ | |
id: "MESSAGE#1277:752016/2", | |
dissect: { | |
tokenizer: "1%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1647 = match({ | |
id: "MESSAGE#1277:752016/2", | |
dissect: { | |
tokenizer: "2%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select381 = linear_select([ | |
msg1646, | |
msg1647, | |
]); | |
var msg1648 = match({ | |
id: "MESSAGE#1277:752016/2", | |
dissect: { | |
tokenizer: "%{->}was successful at setting up a tunnel. Map Tag = %{fld1->}. Map Sequence Number = %{fld2->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all394 = all_match({ | |
processors: [ | |
msg1645, | |
select381, | |
msg1648, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752016"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1649 = match({ | |
id: "MESSAGE#29:105004", | |
dissect: { | |
tokenizer: "(%{context->}) Monitoring on interface %{interface->} normal", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup464, | |
]), | |
}); | |
var msg1650 = match({ | |
id: "MESSAGE#396:308001/2", | |
dissect: { | |
tokenizer: "FWSM c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1651 = match({ | |
id: "MESSAGE#396:308001/2", | |
dissect: { | |
tokenizer: "PIX c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select382 = linear_select([ | |
msg1650, | |
msg1651, | |
dup344, | |
]); | |
var msg1652 = match({ | |
id: "MESSAGE#396:308001/2", | |
dissect: { | |
tokenizer: "onsole enable password incorrect for %{fld1->} tries (from %{hostip->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all395 = all_match({ | |
processors: [ | |
dup44, | |
select382, | |
msg1652, | |
], | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("308001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("enable password incorrect - multiple tries"), | |
}), | |
]), | |
}); | |
var msg1653 = match({ | |
id: "MESSAGE#430:318003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup50, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("318003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1654 = match({ | |
id: "MESSAGE#452:323006/0", | |
dissect: { | |
tokenizer: "%{product->} Module in slot %{fld1->} experienced a data channel communication failure, data channel is DOWN", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1655 = match({ | |
id: "MESSAGE#452:323006/0", | |
dissect: { | |
tokenizer: "Module ips experienced a data channel communication failure, data channel is DOWN%{->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select383 = linear_select([ | |
msg1654, | |
msg1655, | |
]); | |
var all396 = all_match({ | |
processors: [ | |
select383, | |
], | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("323006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("data channel communication failure - data channel is DOWN"), | |
}), | |
]), | |
}); | |
var msg1656 = match({ | |
id: "MESSAGE#1088:718010", | |
dissect: { | |
tokenizer: "Sent HELLO response to [%{daddr->}]", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718010"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Sent HELLO response"), | |
}), | |
]), | |
}); | |
var msg1657 = match({ | |
id: "MESSAGE#1140:720049", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}: %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720049"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select384 = linear_select([ | |
dup465, | |
dup466, | |
]); | |
var msg1658 = match({ | |
id: "MESSAGE#1284:713171/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all397 = all_match({ | |
processors: [ | |
dup9, | |
select384, | |
msg1658, | |
], | |
on_success: processor_chain([ | |
dup95, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713171"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1659 = match({ | |
id: "MESSAGE#214:199909", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("199909"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup259, | |
]), | |
}); | |
var msg1660 = match({ | |
id: "MESSAGE#937:713223", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Static Crypto Map check, map = %{fld1->}, seq = %{fld2->}, no ACL configured", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713223"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Static Crypto Map check - no ACL configured"), | |
}), | |
]), | |
}); | |
var msg1661 = match({ | |
id: "MESSAGE#982:714003", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{action->}: msg id = %{fld1->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("714003"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1662 = match({ | |
id: "MESSAGE#1104:718058", | |
dissect: { | |
tokenizer: "State machine return code: %{result->}, %{resultcode->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718058"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("State machine return code"), | |
}), | |
]), | |
}); | |
var msg1663 = match({ | |
id: "MESSAGE#1135:720042/0", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) Receiving %{obj_type->} message %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1664 = match({ | |
id: "MESSAGE#1135:720042/1", | |
dissect: { | |
tokenizer: "(%{info->}) from active unit", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1665 = match({ | |
id: "MESSAGE#1135:720042/1", | |
dissect: { | |
tokenizer: "%{info->} from active unit", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select385 = linear_select([ | |
msg1664, | |
msg1665, | |
]); | |
var all398 = all_match({ | |
processors: [ | |
msg1663, | |
select385, | |
], | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720042"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1666 = match({ | |
id: "MESSAGE#1160:722022/4", | |
dissect: { | |
tokenizer: "SVC connection established with%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var msg1667 = match({ | |
id: "MESSAGE#1160:722022/6", | |
dissect: { | |
tokenizer: "%{->} %{obj_type->} compression", | |
field: "nwparser.p5", | |
}, | |
}); | |
var all399 = all_match({ | |
processors: [ | |
dup77, | |
dup182, | |
dup267, | |
dup268, | |
msg1666, | |
dup270, | |
msg1667, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722022"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup444, | |
]), | |
}); | |
var msg1668 = match({ | |
id: "MESSAGE#1236:737012", | |
dissect: { | |
tokenizer: "%{process->}: Address assignment failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737012"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup467, | |
]), | |
}); | |
var msg1669 = match({ | |
id: "MESSAGE#1237:737012:01", | |
dissect: { | |
tokenizer: "%{process->}: Session=%{sessionid->}, Address assignment failed", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737012:01"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
dup467, | |
]), | |
}); | |
var select386 = linear_select([ | |
msg1668, | |
msg1669, | |
]); | |
var msg1670 = match({ | |
id: "MESSAGE#13:120011", | |
dissect: { | |
tokenizer: "To ensure Smart Call Home can properly communicate with Cisco, use the command \"%{action->}\" to configure at least one DNS server.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("120011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1671 = match({ | |
id: "MESSAGE#511:400014", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400014"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1672 = match({ | |
id: "MESSAGE#520:400023", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400023"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1673 = match({ | |
id: "MESSAGE#942:713231", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, Internal Error, %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713231"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1674 = match({ | |
id: "MESSAGE#562:402119/2", | |
dissect: { | |
tokenizer: "%{daddr->} that failed anti-replay checking.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all400 = all_match({ | |
processors: [ | |
dup312, | |
dup313, | |
msg1674, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402119"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received ESP packet that failed anti-replay checking"), | |
}), | |
dup56, | |
]), | |
}); | |
var msg1675 = match({ | |
id: "MESSAGE#639:415007", | |
dissect: { | |
tokenizer: "%{sigid->} HTTP Extension method illegal - %{listnum->} '%{protocol->}' from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415007"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.context", | |
value: constant("HTTP Extension method illegal"), | |
}), | |
]), | |
}); | |
var all401 = all_match({ | |
processors: [ | |
dup79, | |
dup273, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715022"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1676 = match({ | |
id: "MESSAGE#1110:718073", | |
dissect: { | |
tokenizer: "Becoming slave of Load Balancing in context %{context->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718073"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Becoming slave of Load Balancing"), | |
}), | |
]), | |
}); | |
var msg1677 = match({ | |
id: "MESSAGE#141:109017", | |
dissect: { | |
tokenizer: "User at %{saddr->} exceeded auth proxy connection limit (max %{fld2->})", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301010000"), | |
}), | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109017"), | |
}), | |
dup18, | |
dup87, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1678 = match({ | |
id: "MESSAGE#200:113039", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> AnyConnect parent session started", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("113039"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect parent session started"), | |
}), | |
]), | |
}); | |
var msg1679 = match({ | |
id: "MESSAGE#342:302302", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302302"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1680 = match({ | |
id: "MESSAGE#357:304005", | |
dissect: { | |
tokenizer: "URL Server %{hostip->} request pending URL %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup406, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304005"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1681 = match({ | |
id: "MESSAGE#353:304002", | |
dissect: { | |
tokenizer: "Access denied URL %{url->} SRC %{saddr->} DEST %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var msg1682 = match({ | |
id: "MESSAGE#354:304002:01", | |
dissect: { | |
tokenizer: "Access denied URL %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304002:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup70, | |
dup71, | |
dup72, | |
dup73, | |
]), | |
}); | |
var select387 = linear_select([ | |
msg1681, | |
msg1682, | |
]); | |
var msg1683 = match({ | |
id: "MESSAGE#1106:718062", | |
dissect: { | |
tokenizer: "%{direction->} thread is awake (context=%{context->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("718062"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("thread is awake"), | |
}), | |
]), | |
}); | |
var msg1684 = match({ | |
id: "MESSAGE#1180:722053/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> Unknown client \u003c\u003c%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1685 = match({ | |
id: "MESSAGE#1180:722053/2", | |
dissect: { | |
tokenizer: "%{application->} for %{product->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1686 = match({ | |
id: "MESSAGE#1180:722053/2", | |
dissect: { | |
tokenizer: "%{application->} %{product->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select388 = linear_select([ | |
msg1685, | |
msg1686, | |
]); | |
var msg1687 = match({ | |
id: "MESSAGE#1180:722053/2", | |
dissect: { | |
tokenizer: "%{version->}> connection", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all402 = all_match({ | |
processors: [ | |
msg1684, | |
select388, | |
msg1687, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("722053"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unknown client connection"), | |
}), | |
]), | |
}); | |
var msg1688 = match({ | |
id: "MESSAGE#1289:746016", | |
dissect: { | |
tokenizer: "user-identity: DNS lookup for %{web_domain->} failed, reason: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("746016"), | |
}), | |
dup14, | |
dup2, | |
dup25, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("DNS lookup failed"), | |
}), | |
]), | |
}); | |
var msg1689 = match({ | |
id: "MESSAGE#991:715001/1", | |
dissect: { | |
tokenizer: "%{->}Group = %{group->}, Username = '%{username->}', IP = %{saddr->},%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1690 = match({ | |
id: "MESSAGE#991:715001/1", | |
dissect: { | |
tokenizer: "%{->}IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var select389 = linear_select([ | |
msg1689, | |
dup341, | |
msg1690, | |
]); | |
var all403 = all_match({ | |
processors: [ | |
select389, | |
dup468, | |
], | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715001"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1691 = match({ | |
id: "MESSAGE#1270:751025", | |
dissect: { | |
tokenizer: "Local:%{saddr->}:%{sport->} Remote:%{daddr->}:%{dport->} Username:%{username->} Group:%{group->} IPv4 Address=%{stransaddr->} IPv6 address=%{hostip_v6->} assigned to session", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("751025"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup434, | |
]), | |
}); | |
var msg1692 = match({ | |
id: "MESSAGE#153:109029/0", | |
dissect: { | |
tokenizer: "Parsing downloaded ACL: WARNING: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1693 = match({ | |
id: "MESSAGE#153:109029/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{listnum->}> %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1694 = match({ | |
id: "MESSAGE#153:109029/2", | |
dissect: { | |
tokenizer: "'%{listnum->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1695 = match({ | |
id: "MESSAGE#153:109029/2", | |
dissect: { | |
tokenizer: "%{listnum->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select390 = linear_select([ | |
msg1693, | |
msg1694, | |
msg1695, | |
]); | |
var all404 = all_match({ | |
processors: [ | |
msg1692, | |
select390, | |
dup173, | |
], | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109029"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1696 = match({ | |
id: "MESSAGE#154:109029:01", | |
dissect: { | |
tokenizer: "Parsing downloaded ACL: ERROR: %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup6, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("109029:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select391 = linear_select([ | |
all404, | |
msg1696, | |
]); | |
var msg1697 = match({ | |
id: "MESSAGE#228:201011", | |
dissect: { | |
tokenizer: "Connection limit exceeded %{fld1->}/%{fld2->} for %{direction->} packet from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection limit exceeded"), | |
}), | |
]), | |
}); | |
var msg1698 = match({ | |
id: "MESSAGE#534:400037", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup76, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400037"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1699 = match({ | |
id: "MESSAGE#717:602302", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup34, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("602302"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1700 = match({ | |
id: "MESSAGE#446:322002", | |
dissect: { | |
tokenizer: "ARP inspection check failed for arp request received from host %{smacaddr->} on interface %{interface->}.%{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("322002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1701 = match({ | |
id: "MESSAGE#1010:715038/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select392 = linear_select([ | |
msg1701, | |
dup45, | |
dup46, | |
]); | |
var msg1702 = match({ | |
id: "MESSAGE#1010:715038/2", | |
dissect: { | |
tokenizer: "%{event_description->} (version: %{version->}, capabilities: %{fld1->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all405 = all_match({ | |
processors: [ | |
dup44, | |
select392, | |
msg1702, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715038"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1703 = match({ | |
id: "MESSAGE#290:302010", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("302010"), | |
}), | |
dup4, | |
dup5, | |
dup2, | |
dup3, | |
]), | |
}); | |
var msg1704 = match({ | |
id: "MESSAGE#665:444005", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup107, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("444005"), | |
}), | |
set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("License"), | |
}), | |
dup42, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Temporary license key will expire in 365 days"), | |
}), | |
]), | |
}); | |
var msg1705 = match({ | |
id: "MESSAGE#1128:720035", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup161, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720035"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1706 = match({ | |
id: "MESSAGE#1185:725001:01/2", | |
dissect: { | |
tokenizer: "%{->} %{sinterface->}:%{saddr->}/%{sport->}to%{daddr->}/%{dport->}for %{version->} session", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all406 = all_match({ | |
processors: [ | |
dup469, | |
dup470, | |
msg1706, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725001:01"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup471, | |
]), | |
}); | |
var msg1707 = match({ | |
id: "MESSAGE#1186:725001/2", | |
dissect: { | |
tokenizer: "%{->} %{interface->}:%{hostip->}/%{network_port->} for %{version->} session.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all407 = all_match({ | |
processors: [ | |
dup469, | |
dup470, | |
msg1707, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("725001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup471, | |
]), | |
}); | |
var select393 = linear_select([ | |
all406, | |
all407, | |
]); | |
var msg1708 = match({ | |
id: "MESSAGE#31:105006", | |
dissect: { | |
tokenizer: "(%{context->}) Link status 'Up' on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105006"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Link status Up"), | |
}), | |
]), | |
}); | |
var msg1709 = match({ | |
id: "MESSAGE#39:105031", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105031"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1710 = match({ | |
id: "MESSAGE#1304:717047", | |
dissect: { | |
tokenizer: "Revoked certificate issued to user: %{username->} with serial number %{result->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("717047"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup5, | |
]), | |
}); | |
var msg1711 = match({ | |
id: "MESSAGE#606:409004", | |
dissect: { | |
tokenizer: "Received %{result->} from unknown neighbor %{hostip->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1712 = match({ | |
id: "MESSAGE#790:616001:01", | |
dissect: { | |
tokenizer: "Pre-allocate MGCP %{fld1->} connection for %{sinterface->}:%{saddr->} to %{dinterface->}:%{daddr->}/%{dport->} from %{fld2->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("616001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup347, | |
]), | |
}); | |
var msg1713 = match({ | |
id: "MESSAGE#791:616001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("616001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select394 = linear_select([ | |
msg1712, | |
msg1713, | |
]); | |
var msg1714 = match({ | |
id: "MESSAGE#1134:720041", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) Sending %{info->} to standby unit", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720041"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1715 = match({ | |
id: "MESSAGE#52:105043", | |
dissect: { | |
tokenizer: "(%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup324, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105043"), | |
}), | |
dup2, | |
dup3, | |
dup167, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1716 = match({ | |
id: "MESSAGE#61:106003", | |
dissect: { | |
tokenizer: "Connection denied src %{saddr->} dest %{daddr->} due to JAVA Applet on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup24, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("106003"), | |
}), | |
dup99, | |
dup102, | |
dup43, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup196, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection denied due to JAVA Applet on interface"), | |
}), | |
]), | |
}); | |
var msg1717 = match({ | |
id: "MESSAGE#395:307004", | |
dissect: { | |
tokenizer: "Telnet session limit exceeded.%{space->}Connection request from %{saddr->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup84, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("307004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup103, | |
]), | |
}); | |
var msg1718 = match({ | |
id: "MESSAGE#560:402117", | |
dissect: { | |
tokenizer: "IPSEC: Received a non-IPSec packet (protocol= %{protocol->}) from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("402117"), | |
}), | |
dup7, | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup409, | |
dup56, | |
]), | |
}); | |
var msg1719 = match({ | |
id: "MESSAGE#38:105021/0", | |
dissect: { | |
tokenizer: "(%{fld1->}) %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1720 = match({ | |
id: "MESSAGE#38:105021/2", | |
dissect: { | |
tokenizer: "S%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select395 = linear_select([ | |
msg1720, | |
dup218, | |
]); | |
var msg1721 = match({ | |
id: "MESSAGE#38:105021/2", | |
dissect: { | |
tokenizer: "tandby unit failed to sync due to a locked %{fld2->} config. Lock held by %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all408 = all_match({ | |
processors: [ | |
msg1719, | |
select395, | |
msg1721, | |
dup237, | |
], | |
on_success: processor_chain([ | |
dup410, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105021"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Standby unit failed to sync due to a locked Config"), | |
}), | |
dup167, | |
]), | |
}); | |
var msg1722 = match({ | |
id: "MESSAGE#436:319001:01", | |
dissect: { | |
tokenizer: "Acknowledge for arp update for IP address %{daddr->} not received (%{count->}).", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("319001:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Acknowledge for arp update"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1723 = match({ | |
id: "MESSAGE#437:319001", | |
dissect: { | |
tokenizer: "The subject name of the peer cert is not allowed for connection%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("319001"), | |
}), | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("The subject name of the peer cert is not allowed for connection"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var select396 = linear_select([ | |
msg1722, | |
msg1723, | |
]); | |
var msg1724 = match({ | |
id: "MESSAGE#615:409013", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup51, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("409013"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1725 = match({ | |
id: "MESSAGE#678:501101", | |
dissect: { | |
tokenizer: "Cmd priv level changed: Var: %{fld1->} Cmd: %{fld2->} Priv level: %{fld3->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("501101"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("Cmd priv level changed successfully"), | |
}), | |
]), | |
}); | |
var msg1726 = match({ | |
id: "MESSAGE#679:501101:01", | |
dissect: { | |
tokenizer: "User transitioning priv level%{->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("501101:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("User transitioning priv level"), | |
}), | |
]), | |
}); | |
var select397 = linear_select([ | |
msg1725, | |
msg1726, | |
]); | |
var msg1727 = match({ | |
id: "MESSAGE#243:210003", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup165, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("210003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1728 = match({ | |
id: "MESSAGE#356:304004", | |
dissect: { | |
tokenizer: "URL Server %{hostip->} request failed URL %{url->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup406, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("304004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1729 = match({ | |
id: "MESSAGE#519:400022", | |
dissect: { | |
tokenizer: "%{product->}:%{sigid->} %{context->} from %{saddr->} to %{daddr->} on interface %{dinterface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup26, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("400022"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup27, | |
dup28, | |
dup29, | |
dup30, | |
]), | |
}); | |
var msg1730 = match({ | |
id: "MESSAGE#843:710002/0", | |
dissect: { | |
tokenizer: "%{protocol->} access permitted from %{saddr->}/%{sport->} to %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var msg1731 = match({ | |
id: "MESSAGE#843:710002/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{fld1->}:%{daddr->}/%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1732 = match({ | |
id: "MESSAGE#843:710002/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select398 = linear_select([ | |
msg1731, | |
msg1732, | |
]); | |
var msg1733 = match({ | |
id: "MESSAGE#843:710002/2", | |
dissect: { | |
tokenizer: "%{service->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all409 = all_match({ | |
processors: [ | |
msg1730, | |
select398, | |
msg1733, | |
], | |
on_success: processor_chain([ | |
dup204, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("710002"), | |
}), | |
dup42, | |
dup43, | |
dup64, | |
dup2, | |
dup35, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("access permitted"), | |
}), | |
]), | |
}); | |
var msg1734 = match({ | |
id: "MESSAGE#1124:720028", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup37, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720028"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1735 = match({ | |
id: "MESSAGE#476:338006/2", | |
dissect: { | |
tokenizer: "ilter dropped blacklisted %{protocol->} traffic from %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}), destination %{fld1->} resolved from %{fld2->} list:%{web_domain->} threat-level: %{severity->}, category: %{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var all410 = all_match({ | |
processors: [ | |
dup183, | |
dup184, | |
msg1735, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("338006"), | |
}), | |
dup42, | |
dup43, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1736 = match({ | |
id: "MESSAGE#831:702307/0", | |
dissect: { | |
tokenizer: "%{service->}: An %{agent->} SA (SPI= %{fld1->}) between %{saddr->} and %{daddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var all411 = all_match({ | |
processors: [ | |
msg1736, | |
dup32, | |
dup33, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("702307"), | |
}), | |
dup7, | |
dup11, | |
dup12, | |
dup13, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all412 = all_match({ | |
processors: [ | |
dup44, | |
dup47, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup55, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713201"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all413 = all_match({ | |
processors: [ | |
dup176, | |
dup23, | |
dup174, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713201:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select399 = linear_select([ | |
all412, | |
all413, | |
]); | |
var all414 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup241, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715056"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var all415 = all_match({ | |
processors: [ | |
dup44, | |
dup135, | |
dup136, | |
], | |
on_success: processor_chain([ | |
dup105, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("111005"), | |
}), | |
dup38, | |
dup137, | |
dup39, | |
dup40, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.result", | |
value: constant("end configuration: OK"), | |
}), | |
]), | |
}); | |
var all416 = all_match({ | |
processors: [ | |
dup22, | |
dup23, | |
dup472, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup473, | |
]), | |
}); | |
var msg1737 = match({ | |
id: "MESSAGE#952:713259:01/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , Session is being torn down. Reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1738 = match({ | |
id: "MESSAGE#952:713259:01/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , Session is being torn down. Reason: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select400 = linear_select([ | |
msg1737, | |
msg1738, | |
]); | |
var all417 = all_match({ | |
processors: [ | |
dup44, | |
select400, | |
dup173, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259:01"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup473, | |
]), | |
}); | |
var all418 = all_match({ | |
processors: [ | |
dup176, | |
dup23, | |
dup472, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713259:02"), | |
}), | |
dup7, | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup473, | |
]), | |
}); | |
var select401 = linear_select([ | |
all416, | |
all417, | |
all418, | |
]); | |
var msg1739 = match({ | |
id: "MESSAGE#1142:720062", | |
dissect: { | |
tokenizer: "(VPN-%{context->}) %{event_description->}.", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup58, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("720062"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1740 = match({ | |
id: "MESSAGE#28:105003", | |
dissect: { | |
tokenizer: "(%{context->}) Monitoring on interface %{interface->} waiting", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("105003"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup464, | |
]), | |
}); | |
var msg1741 = match({ | |
id: "MESSAGE#686:504001:01", | |
dissect: { | |
tokenizer: "Security context %{info->} was added to the system", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("504001:01"), | |
}), | |
dup164, | |
dup38, | |
dup14, | |
dup2, | |
dup3, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Security context added"), | |
}), | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1742 = match({ | |
id: "MESSAGE#687:504001", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup163, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("504001"), | |
}), | |
dup164, | |
dup38, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var select402 = linear_select([ | |
msg1741, | |
msg1742, | |
]); | |
var msg1743 = match({ | |
id: "MESSAGE#1060:716058", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User \u003c\u003c%{username->}> IP \u003c\u003c%{saddr->}> AnyConnect session lost connection. %{result->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup180, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("716058"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("AnyConnect session lost connection"), | |
}), | |
]), | |
}); | |
var msg1744 = match({ | |
id: "MESSAGE#635:415004", | |
dissect: { | |
tokenizer: "%{sigid->} Content type not found - %{listnum->} Content Verification Failed from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415004"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup474, | |
]), | |
}); | |
var msg1745 = match({ | |
id: "MESSAGE#636:415004:01", | |
dissect: { | |
tokenizer: "%{sigid->} Content type not found - %{listnum->} %{protocol->} from %{saddr->} to %{daddr->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup206, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("415004:01"), | |
}), | |
dup14, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup474, | |
]), | |
}); | |
var select403 = linear_select([ | |
msg1744, | |
msg1745, | |
]); | |
var msg1746 = match({ | |
id: "MESSAGE#886:713120/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select404 = linear_select([ | |
dup475, | |
dup465, | |
msg1746, | |
]); | |
var all419 = all_match({ | |
processors: [ | |
dup9, | |
select404, | |
dup174, | |
], | |
on_success: processor_chain([ | |
dup21, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("713120"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1747 = match({ | |
id: "MESSAGE#1249:737030", | |
dissect: { | |
tokenizer: "%{process->}: Unable to send %{hostip->} to standby: address in use", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("737030"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1748 = match({ | |
id: "MESSAGE#1298:752011", | |
dissect: { | |
tokenizer: "%{fld2->} Doesn't have a transform set specified", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("752011"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Doesn't have a transform set specified"), | |
}), | |
]), | |
}); | |
var msg1749 = match({ | |
id: "MESSAGE#1215:734002/2", | |
dissect: { | |
tokenizer: "'%{username->}' , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1750 = match({ | |
id: "MESSAGE#1215:734002/2", | |
dissect: { | |
tokenizer: "%{username->} , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select405 = linear_select([ | |
msg1749, | |
msg1750, | |
]); | |
var msg1751 = match({ | |
id: "MESSAGE#1215:734002/3", | |
dissect: { | |
tokenizer: "%{hostip->},%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var msg1752 = match({ | |
id: "MESSAGE#1215:734002/3", | |
dissect: { | |
tokenizer: "%{hostip->}:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var select406 = linear_select([ | |
msg1751, | |
msg1752, | |
]); | |
var all420 = all_match({ | |
processors: [ | |
dup211, | |
select405, | |
select406, | |
dup281, | |
], | |
on_success: processor_chain([ | |
dup36, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("734002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1753 = match({ | |
id: "MESSAGE#1:101002", | |
dissect: { | |
tokenizer: "(%{context->})%{event_description->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup49, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("101002"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1754 = match({ | |
id: "MESSAGE#226:201010", | |
dissect: { | |
tokenizer: "Embryonic connection limit exceeded %{fld1->}/%{fld2->} for %{direction->} packet from %{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("201010"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
dup177, | |
]), | |
}); | |
var msg1755 = match({ | |
id: "MESSAGE#260:213001", | |
dissect: { | |
tokenizer: "PPTP control daemon socket io %{info->}", | |
field: "nwparser.payload", | |
}, | |
on_success: processor_chain([ | |
dup10, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("213001"), | |
}), | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var msg1756 = match({ | |
id: "MESSAGE#1041:715076/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var msg1757 = match({ | |
id: "MESSAGE#1041:715076/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var select407 = linear_select([ | |
msg1756, | |
msg1757, | |
]); | |
var all421 = all_match({ | |
processors: [ | |
dup44, | |
select407, | |
dup48, | |
], | |
on_success: processor_chain([ | |
dup20, | |
set_field({ | |
dest: "nwparser.msg_id1", | |
value: constant("715076"), | |
}), | |
dup7, | |
dup2, | |
dup3, | |
dup4, | |
dup5, | |
]), | |
}); | |
var chain1 = processor_chain([ | |
select2, | |
msgid_select({ | |
"101001": msg115, | |
"101002": msg1753, | |
"101003": msg432, | |
"101004": msg31, | |
"101005": msg1628, | |
"102001": msg960, | |
"103001": msg858, | |
"103002": select131, | |
"103003": msg1092, | |
"103004": msg168, | |
"103005": msg4, | |
"103006": msg1405, | |
"103007": msg161, | |
"104001": select319, | |
"104002": select170, | |
"104003": msg929, | |
"104004": msg1407, | |
"105001": msg965, | |
"105002": msg520, | |
"105003": msg1740, | |
"105004": msg1649, | |
"105005": msg1296, | |
"105006": msg1708, | |
"105007": msg855, | |
"105008": all328, | |
"105009": msg905, | |
"105010": msg631, | |
"105011": msg173, | |
"105020": msg273, | |
"105021": all408, | |
"105031": msg1709, | |
"105032": msg966, | |
"105034": select165, | |
"105035": msg1318, | |
"105036": select62, | |
"105037": msg1250, | |
"105038": msg410, | |
"105039": msg940, | |
"105040": msg849, | |
"105041": msg967, | |
"105042": msg312, | |
"105043": msg1715, | |
"105044": msg1116, | |
"105045": all387, | |
"105046": msg1414, | |
"105047": all222, | |
"106001": select329, | |
"106002": select206, | |
"106003": msg1716, | |
"106006": select332, | |
"106007": msg396, | |
"106008": select294, | |
"106009": msg1406, | |
"106010": select211, | |
"106011": select364, | |
"106012": all213, | |
"106013": select119, | |
"106014": all192, | |
"106015": select63, | |
"106016": select305, | |
"106017": select155, | |
"106018": msg941, | |
"106019": msg1449, | |
"106020": msg1423, | |
"106021": msg563, | |
"106022": msg828, | |
"106023": select350, | |
"106025": msg493, | |
"106027": all115, | |
"106028": select289, | |
"106100": select266, | |
"106101": msg359, | |
"106102": select64, | |
"106103": select312, | |
"107001": select49, | |
"107002": msg211, | |
"108001": all146, | |
"108002": msg1587, | |
"108003": select354, | |
"108004": select323, | |
"108005": select97, | |
"108006": msg772, | |
"109001": all151, | |
"109002": all129, | |
"109003": select174, | |
"109005": all341, | |
"109006": all345, | |
"109007": all13, | |
"109008": all241, | |
"109009": msg240, | |
"109010": msg1338, | |
"109011": all290, | |
"109012": all238, | |
"109013": msg1480, | |
"109014": msg906, | |
"109015": select234, | |
"109016": select352, | |
"109017": msg1677, | |
"109018": all113, | |
"109019": all23, | |
"109020": all205, | |
"109021": msg1160, | |
"109022": msg60, | |
"109023": select53, | |
"109024": msg82, | |
"109025": all56, | |
"109026": msg1185, | |
"109027": all87, | |
"109029": select391, | |
"109032": all176, | |
"109033": select281, | |
"109039": msg663, | |
"110001": msg304, | |
"110002": select11, | |
"110003": select126, | |
"111001": msg907, | |
"111002": msg675, | |
"111003": msg554, | |
"111004": all34, | |
"111005": all415, | |
"111006": all25, | |
"111007": all252, | |
"111008": all330, | |
"111009": all223, | |
"111010": all105, | |
"111111": msg976, | |
"112001": msg96, | |
"113001": select378, | |
"113003": all208, | |
"113004": all155, | |
"113005": select285, | |
"113006": all231, | |
"113008": all140, | |
"113009": select246, | |
"113010": all295, | |
"113011": all30, | |
"113012": all88, | |
"113013": all179, | |
"113014": all190, | |
"113015": all4, | |
"113016": all253, | |
"113019": select151, | |
"113020": msg65, | |
"113022": msg969, | |
"113023": msg732, | |
"113028": all331, | |
"113034": all81, | |
"113039": msg1678, | |
"120001": msg698, | |
"120003": all209, | |
"120007": msg1078, | |
"120008": msg469, | |
"120011": msg1670, | |
"120012": all49, | |
"199001": select217, | |
"199002": msg639, | |
"199003": msg1381, | |
"199004": msg1569, | |
"199005": msg899, | |
"199006": all343, | |
"199007": all152, | |
"199008": all195, | |
"199009": select291, | |
"199015": msg409, | |
"199016": msg891, | |
"199017": msg570, | |
"199018": select269, | |
"199907": msg1521, | |
"199908": msg599, | |
"199909": msg1659, | |
"201001": msg1262, | |
"201002": select275, | |
"201003": msg1151, | |
"201004": select92, | |
"201005": msg834, | |
"201006": msg683, | |
"201007": msg1156, | |
"201008": msg852, | |
"201009": msg32, | |
"201010": msg1754, | |
"201011": msg1697, | |
"201012": msg857, | |
"201013": msg204, | |
"202001": msg1006, | |
"202002": msg1280, | |
"202003": msg1588, | |
"202004": msg90, | |
"202005": msg1235, | |
"202010": all358, | |
"203001": msg812, | |
"208005": msg1397, | |
"209001": msg470, | |
"209002": msg121, | |
"209003": msg205, | |
"209004": msg476, | |
"209005": msg835, | |
"210001": msg15, | |
"210002": msg1385, | |
"210003": msg1727, | |
"210005": msg970, | |
"210006": msg1297, | |
"210007": msg977, | |
"210008": msg953, | |
"210010": msg174, | |
"210020": msg678, | |
"210021": msg1271, | |
"210022": msg1435, | |
"211001": msg699, | |
"211003": msg102, | |
"212001": msg428, | |
"212002": msg1239, | |
"212003": msg53, | |
"212004": msg91, | |
"212005": all197, | |
"212006": msg1541, | |
"213001": msg1755, | |
"213002": msg1153, | |
"213003": msg660, | |
"213004": msg1394, | |
"214001": msg537, | |
"215001": msg1272, | |
"216001": msg1263, | |
"216005": msg1611, | |
"219002": msg632, | |
"301001": msg1164, | |
"302001": select179, | |
"302002": select221, | |
"302003": msg1007, | |
"302004": select358, | |
"302005": select276, | |
"302006": select199, | |
"302007": msg664, | |
"302008": msg1276, | |
"302009": select355, | |
"302010": msg1703, | |
"302012": all27, | |
"302013": select75, | |
"302014": select115, | |
"302015": select129, | |
"302016": select41, | |
"302017": select60, | |
"302018": msg1574, | |
"302019": msg1190, | |
"302020": select196, | |
"302021": select227, | |
"302022": select356, | |
"302023": select140, | |
"302024": all347, | |
"302025": msg819, | |
"302026": all153, | |
"302027": msg1100, | |
"302302": msg1679, | |
"302303": msg1324, | |
"302304": msg1518, | |
"303002": select223, | |
"303003": msg1633, | |
"303004": msg448, | |
"303005": msg742, | |
"304001": select14, | |
"304002": select387, | |
"304003": msg1154, | |
"304004": msg1728, | |
"304005": msg1680, | |
"304006": msg1126, | |
"304007": msg588, | |
"304008": all5, | |
"304009": msg301, | |
"305001": msg20, | |
"305002": msg356, | |
"305003": select132, | |
"305004": msg754, | |
"305005": select23, | |
"305006": select57, | |
"305007": msg529, | |
"305008": msg665, | |
"305009": msg331, | |
"305010": select139, | |
"305011": select144, | |
"305012": select120, | |
"305013": select105, | |
"306001": msg158, | |
"307001": select303, | |
"307002": msg397, | |
"307003": select46, | |
"307004": msg1717, | |
"308001": all395, | |
"308002": msg672, | |
"309001": msg243, | |
"309002": msg954, | |
"309004": msg92, | |
"311001": msg491, | |
"311002": msg673, | |
"311003": msg122, | |
"311004": msg584, | |
"312001": msg1236, | |
"313001": msg1424, | |
"313003": select169, | |
"313004": select207, | |
"313005": msg661, | |
"313008": select162, | |
"313009": msg733, | |
"314001": all260, | |
"315001": msg61, | |
"315002": all360, | |
"315003": select93, | |
"315004": all104, | |
"315005": msg93, | |
"315011": select159, | |
"316001": select118, | |
"317001": msg901, | |
"317002": msg1083, | |
"317003": msg1281, | |
"317004": msg418, | |
"317005": msg83, | |
"318001": msg1594, | |
"318002": msg244, | |
"318003": msg1653, | |
"318004": msg265, | |
"318005": msg388, | |
"318006": msg1120, | |
"318007": msg1398, | |
"318008": msg688, | |
"319001": select396, | |
"319004": msg963, | |
"320001": msg360, | |
"321001": select292, | |
"321002": msg864, | |
"321003": msg1638, | |
"321004": msg843, | |
"321005": msg1511, | |
"322001": msg1034, | |
"322002": msg1700, | |
"322003": msg1121, | |
"322004": msg1519, | |
"323001": msg375, | |
"323002": msg679, | |
"323003": msg900, | |
"323006": all396, | |
"324000": all99, | |
"324001": msg1399, | |
"324002": msg492, | |
"324003": msg1472, | |
"324004": msg1101, | |
"324005": msg1395, | |
"324006": msg869, | |
"324007": msg600, | |
"325001": msg521, | |
"325002": msg1016, | |
"326001": msg938, | |
"331001": msg730, | |
"332003": msg107, | |
"332004": msg923, | |
"335004": msg1298, | |
"336010": msg1520, | |
"337005": msg1275, | |
"337009": msg910, | |
"338001": all277, | |
"338002": all80, | |
"338003": all185, | |
"338004": all72, | |
"338005": all59, | |
"338006": all410, | |
"338007": all288, | |
"338008": all375, | |
"338101": all362, | |
"338102": all335, | |
"338103": all142, | |
"338104": all346, | |
"338201": all321, | |
"338202": all82, | |
"338203": all344, | |
"338204": all107, | |
"338301": all268, | |
"338302": all162, | |
"338303": all230, | |
"338304": msg915, | |
"338305": msg1543, | |
"338306": msg1157, | |
"338307": msg813, | |
"338308": msg482, | |
"338309": msg816, | |
"338310": msg1285, | |
"400000": msg743, | |
"400001": msg25, | |
"400002": msg1400, | |
"400003": msg1506, | |
"400004": msg605, | |
"400005": msg1225, | |
"400006": msg1186, | |
"400007": msg133, | |
"400008": msg530, | |
"400009": msg108, | |
"400010": msg1464, | |
"400011": msg162, | |
"400012": msg1512, | |
"400013": msg674, | |
"400014": msg1671, | |
"400015": msg235, | |
"400016": msg1320, | |
"400017": msg363, | |
"400018": msg1123, | |
"400019": msg1425, | |
"400020": msg1124, | |
"400021": msg1473, | |
"400022": msg1729, | |
"400023": msg1672, | |
"400024": msg982, | |
"400025": msg1612, | |
"400026": msg1474, | |
"400027": msg1363, | |
"400028": msg207, | |
"400029": msg964, | |
"400030": msg516, | |
"400031": msg1613, | |
"400032": msg1639, | |
"400033": msg62, | |
"400034": msg585, | |
"400035": msg63, | |
"400036": msg1388, | |
"400037": msg1698, | |
"400038": msg1581, | |
"400039": msg555, | |
"400040": msg225, | |
"400041": msg1589, | |
"400042": msg124, | |
"400043": msg942, | |
"400044": msg208, | |
"400045": msg35, | |
"400046": msg841, | |
"400047": msg538, | |
"400048": msg52, | |
"400049": msg389, | |
"400050": msg1187, | |
"400051": msg361, | |
"401001": msg1057, | |
"401002": all45, | |
"401003": all225, | |
"401004": all117, | |
"401005": all207, | |
"402101": msg1158, | |
"402102": msg1375, | |
"402103": all254, | |
"402106": msg1529, | |
"402114": msg1027, | |
"402116": all154, | |
"402117": msg1718, | |
"402118": msg37, | |
"402119": all400, | |
"402120": all279, | |
"402123": msg1165, | |
"402124": msg827, | |
"402125": msg1570, | |
"402126": all171, | |
"402127": all24, | |
"402130": msg444, | |
"403101": msg1634, | |
"403102": msg1418, | |
"403103": msg691, | |
"403104": msg550, | |
"403106": msg1614, | |
"403107": msg414, | |
"403108": msg1191, | |
"403109": msg1058, | |
"403110": msg1386, | |
"403500": msg842, | |
"403501": msg472, | |
"403502": msg911, | |
"403503": msg1128, | |
"403504": msg169, | |
"403505": msg912, | |
"403506": msg1226, | |
"404101": msg1035, | |
"404102": msg258, | |
"405001": all385, | |
"405002": msg54, | |
"405003": msg1373, | |
"405101": all220, | |
"405102": all29, | |
"405103": msg517, | |
"405104": msg1268, | |
"405105": all272, | |
"406001": msg342, | |
"406002": msg1299, | |
"407001": msg1130, | |
"407002": select259, | |
"408001": msg820, | |
"408002": all22, | |
"409001": msg978, | |
"409002": msg755, | |
"409003": all361, | |
"409004": msg1711, | |
"409005": msg197, | |
"409006": msg1105, | |
"409007": msg1369, | |
"409008": msg33, | |
"409009": msg979, | |
"409010": msg734, | |
"409011": msg1533, | |
"409012": msg302, | |
"409013": msg1724, | |
"409023": all315, | |
"410001": select240, | |
"411001": all259, | |
"411002": all178, | |
"411003": all298, | |
"411004": all363, | |
"411005": all109, | |
"412001": msg498, | |
"413001": msg594, | |
"413002": msg1567, | |
"413003": all133, | |
"414001": msg1093, | |
"414002": msg630, | |
"415001": msg1389, | |
"415002": msg1038, | |
"415003": msg332, | |
"415004": select403, | |
"415005": msg579, | |
"415006": msg303, | |
"415007": msg1675, | |
"415008": select153, | |
"415009": msg1039, | |
"415010": msg261, | |
"415011": msg364, | |
"415012": msg1094, | |
"415013": msg1513, | |
"415014": msg1514, | |
"416001": msg667, | |
"418001": select99, | |
"419001": msg262, | |
"419002": msg801, | |
"419003": msg1040, | |
"420002": select123, | |
"420003": msg1465, | |
"420004": msg471, | |
"420005": msg1364, | |
"421001": msg249, | |
"421004": msg1597, | |
"421005": all172, | |
"421006": msg236, | |
"429002": msg1167, | |
"434002": msg328, | |
"434004": msg559, | |
"444005": msg1704, | |
"444100": msg889, | |
"444101": msg1340, | |
"444102": msg817, | |
"444104": msg1347, | |
"444106": msg1088, | |
"444108": select304, | |
"444109": msg1339, | |
"450001": msg84, | |
"500001": msg731, | |
"500002": msg1515, | |
"500003": msg501, | |
"500004": msg1108, | |
"501101": select397, | |
"502101": all353, | |
"502102": all73, | |
"502103": all106, | |
"502111": all177, | |
"502112": all163, | |
"503001": msg78, | |
"504001": select402, | |
"504002": select147, | |
"505001": msg1159, | |
"505002": msg263, | |
"505003": msg1028, | |
"505004": msg814, | |
"505005": msg943, | |
"505006": msg435, | |
"505007": msg1218, | |
"505011": all283, | |
"505013": all340, | |
"505014": msg1625, | |
"505015": all11, | |
"506001": msg1550, | |
"507001": msg721, | |
"507002": msg56, | |
"507003": all156, | |
"508001": all198, | |
"602101": all74, | |
"602102": msg1174, | |
"602103": msg1095, | |
"602104": msg1415, | |
"602201": select298, | |
"602202": select26, | |
"602203": select314, | |
"602301": msg1131, | |
"602302": msg1699, | |
"602303": all281, | |
"602304": all7, | |
"603101": msg821, | |
"603102": msg924, | |
"603103": msg357, | |
"603104": all50, | |
"603105": all329, | |
"603106": all303, | |
"603107": all85, | |
"603108": all304, | |
"603109": all309, | |
"604101": msg42, | |
"604102": msg1598, | |
"604103": all181, | |
"604104": msg412, | |
"605001": msg1522, | |
"605002": msg551, | |
"605003": all282, | |
"605004": select59, | |
"605005": select302, | |
"606001": all306, | |
"606002": all376, | |
"606003": msg1416, | |
"606004": msg26, | |
"607001": msg1582, | |
"608001": select54, | |
"609001": msg592, | |
"609002": all161, | |
"610001": msg1332, | |
"610002": msg1358, | |
"610101": all28, | |
"611101": select148, | |
"611102": select96, | |
"611103": all313, | |
"611104": msg79, | |
"611301": msg1583, | |
"611302": msg1139, | |
"611303": msg113, | |
"611304": msg467, | |
"611305": msg420, | |
"611306": msg973, | |
"611307": msg1584, | |
"611308": msg1256, | |
"611309": msg1417, | |
"611310": msg1575, | |
"611311": msg534, | |
"611312": msg358, | |
"611313": msg974, | |
"611314": msg890, | |
"611315": msg271, | |
"611316": msg768, | |
"611317": msg1109, | |
"611318": msg40, | |
"611319": msg1004, | |
"611320": msg902, | |
"611321": msg1166, | |
"611322": msg903, | |
"611323": msg34, | |
"612001": msg676, | |
"612002": all382, | |
"612003": msg810, | |
"613001": msg1348, | |
"613002": msg1455, | |
"613003": msg1137, | |
"614001": msg365, | |
"614002": msg429, | |
"615001": msg756, | |
"615002": msg125, | |
"616001": select394, | |
"617001": msg28, | |
"617002": select373, | |
"617003": msg1640, | |
"617004": msg441, | |
"620001": select183, | |
"620002": select145, | |
"622001": all175, | |
"701001": msg1408, | |
"701002": msg928, | |
"702201": select16, | |
"702202": select340, | |
"702203": select380, | |
"702204": select90, | |
"702205": select299, | |
"702206": select209, | |
"702207": select261, | |
"702208": select268, | |
"702209": select313, | |
"702210": select232, | |
"702211": select116, | |
"702212": select336, | |
"702301": msg1410, | |
"702302": msg1390, | |
"702303": msg593, | |
"702307": all411, | |
"703001": msg1063, | |
"703002": msg535, | |
"709001": msg1419, | |
"709002": msg97, | |
"709003": msg423, | |
"709004": msg552, | |
"709005": msg272, | |
"709006": msg27, | |
"709007": msg1033, | |
"709008": msg1293, | |
"710001": msg227, | |
"710002": all409, | |
"710003": msg572, | |
"710004": msg1537, | |
"710005": msg1571, | |
"710006": msg430, | |
"710007": msg1066, | |
"711001": msg468, | |
"711002": msg918, | |
"711004": all218, | |
"713014": msg1539, | |
"713016": msg955, | |
"713020": msg713, | |
"713024": all90, | |
"713025": select204, | |
"713034": select324, | |
"713035": select124, | |
"713041": select81, | |
"713042": msg159, | |
"713048": all380, | |
"713049": all352, | |
"713050": all224, | |
"713052": all267, | |
"713060": all193, | |
"713061": msg562, | |
"713066": select8, | |
"713068": all33, | |
"713072": all388, | |
"713073": msg344, | |
"713074": msg1278, | |
"713075": select249, | |
"713076": all384, | |
"713092": msg1444, | |
"713105": msg1162, | |
"713107": msg904, | |
"713117": all166, | |
"713119": msg114, | |
"713120": all419, | |
"713121": msg1264, | |
"713122": msg1069, | |
"713123": select76, | |
"713124": msg1163, | |
"713127": msg1445, | |
"713128": select374, | |
"713129": msg424, | |
"713130": all302, | |
"713131": select241, | |
"713132": all141, | |
"713133": all157, | |
"713134": msg250, | |
"713136": all48, | |
"713137": select379, | |
"713141": msg442, | |
"713143": msg956, | |
"713145": msg416, | |
"713147": msg1636, | |
"713149": msg802, | |
"713167": select17, | |
"713169": msg1064, | |
"713170": msg1172, | |
"713171": all397, | |
"713172": all199, | |
"713177": msg215, | |
"713184": select50, | |
"713187": msg1197, | |
"713193": msg1173, | |
"713194": all8, | |
"713199": all389, | |
"713201": select399, | |
"713202": msg1161, | |
"713203": msg682, | |
"713204": all284, | |
"713206": msg1294, | |
"713211": msg1451, | |
"713213": all242, | |
"713214": msg1456, | |
"713216": select287, | |
"713218": all180, | |
"713219": all143, | |
"713220": msg1106, | |
"713221": msg1065, | |
"713222": msg5, | |
"713223": msg1660, | |
"713224": msg1523, | |
"713225": msg815, | |
"713227": msg637, | |
"713228": all300, | |
"713229": msg1637, | |
"713231": msg1673, | |
"713232": all276, | |
"713235": select106, | |
"713236": all348, | |
"713240": msg651, | |
"713251": all336, | |
"713255": msg226, | |
"713257": msg846, | |
"713259": select401, | |
"713273": select301, | |
"713900": select339, | |
"713902": select258, | |
"713903": select32, | |
"713904": select278, | |
"713905": select52, | |
"713906": select178, | |
"714001": msg1470, | |
"714002": select210, | |
"714003": msg1661, | |
"714004": select214, | |
"714005": all280, | |
"714006": select331, | |
"714007": msg925, | |
"714011": select108, | |
"715001": all403, | |
"715006": select15, | |
"715007": select138, | |
"715009": select325, | |
"715019": select167, | |
"715020": all250, | |
"715021": all114, | |
"715022": all401, | |
"715027": all227, | |
"715028": all243, | |
"715033": msg1624, | |
"715034": msg401, | |
"715035": msg1376, | |
"715036": select256, | |
"715038": all405, | |
"715039": select43, | |
"715040": msg522, | |
"715041": msg165, | |
"715042": all327, | |
"715046": select135, | |
"715047": select231, | |
"715048": all9, | |
"715049": select137, | |
"715050": msg722, | |
"715052": all51, | |
"715053": select130, | |
"715055": all334, | |
"715056": all414, | |
"715057": all296, | |
"715058": msg1257, | |
"715059": select85, | |
"715060": msg1077, | |
"715061": msg518, | |
"715063": all158, | |
"715064": all226, | |
"715065": all67, | |
"715066": msg1413, | |
"715068": msg431, | |
"715071": msg98, | |
"715075": msg1067, | |
"715076": all421, | |
"715077": select5, | |
"715080": msg179, | |
"716001": all196, | |
"716002": all16, | |
"716003": all355, | |
"716004": all150, | |
"716007": all217, | |
"716009": msg209, | |
"716023": all364, | |
"716038": all379, | |
"716039": select89, | |
"716041": msg1602, | |
"716043": all183, | |
"716047": all314, | |
"716051": msg543, | |
"716052": msg1349, | |
"716058": msg1743, | |
"716059": msg1471, | |
"716601": msg1295, | |
"717001": msg690, | |
"717002": msg1068, | |
"717003": msg58, | |
"717004": msg1484, | |
"717005": msg541, | |
"717006": msg914, | |
"717007": msg310, | |
"717008": msg166, | |
"717009": all383, | |
"717010": msg1249, | |
"717016": msg1107, | |
"717022": msg1568, | |
"717024": msg544, | |
"717025": msg1279, | |
"717026": msg1118, | |
"717027": msg944, | |
"717028": msg483, | |
"717029": msg1198, | |
"717030": msg1380, | |
"717033": msg1478, | |
"717036": msg449, | |
"717037": msg160, | |
"717039": msg193, | |
"717041": msg167, | |
"717043": msg1448, | |
"717045": msg638, | |
"717046": msg1181, | |
"717047": msg1710, | |
"717055": msg59, | |
"718005": msg1314, | |
"718010": msg1656, | |
"718015": msg1507, | |
"718016": msg1070, | |
"718021": msg1534, | |
"718022": msg1420, | |
"718023": msg1446, | |
"718028": msg881, | |
"718033": msg473, | |
"718034": msg1182, | |
"718039": msg1228, | |
"718044": msg1409, | |
"718045": msg1002, | |
"718046": msg536, | |
"718049": msg677, | |
"718051": msg1361, | |
"718056": msg957, | |
"718058": msg1662, | |
"718059": msg1155, | |
"718062": msg1683, | |
"718068": msg327, | |
"718069": msg194, | |
"718072": msg1321, | |
"718073": msg1676, | |
"720002": msg1577, | |
"720003": msg311, | |
"720004": msg587, | |
"720005": msg264, | |
"720006": msg495, | |
"720010": msg583, | |
"720012": msg1138, | |
"720020": msg1530, | |
"720021": msg64, | |
"720024": msg1458, | |
"720025": msg740, | |
"720026": msg939, | |
"720027": msg190, | |
"720028": msg1734, | |
"720029": msg735, | |
"720032": msg633, | |
"720035": msg1705, | |
"720036": msg1596, | |
"720037": msg1508, | |
"720038": msg1627, | |
"720039": msg210, | |
"720040": msg1089, | |
"720041": msg1714, | |
"720042": all398, | |
"720044": msg545, | |
"720045": msg741, | |
"720046": msg1196, | |
"720048": msg1585, | |
"720049": msg1657, | |
"720055": msg447, | |
"720062": msg1739, | |
"720063": msg573, | |
"720068": msg1056, | |
"721001": msg1090, | |
"721002": msg123, | |
"721003": msg1404, | |
"721004": msg1359, | |
"721010": msg1315, | |
"721012": msg172, | |
"721016": all63, | |
"721018": all278, | |
"722001": all206, | |
"722003": all305, | |
"722005": msg1360, | |
"722006": msg803, | |
"722010": all235, | |
"722012": all86, | |
"722020": all381, | |
"722022": all399, | |
"722023": all111, | |
"722025": msg206, | |
"722027": all110, | |
"722028": all318, | |
"722029": all44, | |
"722030": all221, | |
"722031": all273, | |
"722032": all60, | |
"722033": all349, | |
"722034": msg1479, | |
"722035": all266, | |
"722036": all184, | |
"722037": all57, | |
"722041": all342, | |
"722043": all359, | |
"722047": msg1538, | |
"722049": all325, | |
"722050": msg958, | |
"722051": select311, | |
"722053": all402, | |
"722055": all58, | |
"724002": msg362, | |
"724003": all191, | |
"724004": all47, | |
"725001": select393, | |
"725002": all95, | |
"725003": all64, | |
"725005": select150, | |
"725006": select363, | |
"725007": all310, | |
"725008": select205, | |
"725009": select18, | |
"725010": all102, | |
"725011": msg1468, | |
"725012": select163, | |
"725013": msg546, | |
"725014": msg856, | |
"725016": all326, | |
"726001": msg1576, | |
"730001": msg558, | |
"730002": msg1119, | |
"730010": msg519, | |
"731001": msg634, | |
"733100": msg1091, | |
"733101": all26, | |
"733102": msg870, | |
"733103": msg804, | |
"734001": all112, | |
"734002": all420, | |
"734003": select67, | |
"734004": msg818, | |
"735003": msg1008, | |
"735004": msg1485, | |
"735005": msg1396, | |
"735006": msg1311, | |
"735011": msg421, | |
"735012": msg744, | |
"737001": all12, | |
"737003": select262, | |
"737005": msg1229, | |
"737006": select82, | |
"737007": all301, | |
"737010": select318, | |
"737012": select386, | |
"737013": msg975, | |
"737014": msg234, | |
"737015": all287, | |
"737016": select65, | |
"737017": all108, | |
"737019": select295, | |
"737026": select122, | |
"737029": all324, | |
"737030": msg1747, | |
"737031": all10, | |
"737032": all214, | |
"737033": msg1277, | |
"742004": msg1635, | |
"746001": msg281, | |
"746002": msg1586, | |
"746006": msg608, | |
"746012": select351, | |
"746013": select33, | |
"746014": msg422, | |
"746015": msg1372, | |
"746016": msg1688, | |
"746018": msg805, | |
"747016": msg380, | |
"750001": select279, | |
"750002": msg959, | |
"750003": msg652, | |
"750006": msg1447, | |
"750007": msg1009, | |
"751007": msg553, | |
"751014": msg417, | |
"751025": msg1691, | |
"752002": msg1540, | |
"752003": msg751, | |
"752004": msg21, | |
"752006": msg248, | |
"752008": msg811, | |
"752010": msg379, | |
"752011": msg1748, | |
"752012": select263, | |
"752015": msg1060, | |
"752016": all394, | |
"769001": msg670, | |
"769004": msg24, | |
"771002": msg1333, | |
"776251": msg1317, | |
"776252": msg525, | |
"CISCOASA_GENERIC": select164, | |
}), | |
set_field({ | |
dest: "@timestamp", | |
value: field("event_time"), | |
}), | |
]); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment