Created
April 22, 2020 14:10
-
-
Save adriansr/550c9c9c0105fedd1dbd62472a140247 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
// or more contributor license agreements. Licensed under the Elastic License; | |
// you may not use this file except in compliance with the Elastic License. | |
var processor = require("processor"); | |
var console = require("console"); | |
var device; | |
// Register params from configuration. | |
function register(params) { | |
device = new DeviceProcessor(); | |
} | |
function process(evt) { | |
return device.process(evt); | |
} | |
function DeviceProcessor() { | |
var builder = new processor.Chain(); | |
builder.Add(save_flags); | |
builder.Add(chain1); | |
builder.Add(restore_flags); | |
var chain = builder.Build(); | |
return { | |
process: chain.Run, | |
} | |
} | |
var map_srcDirName = { | |
keyvaluepairs: { | |
"0": dup477, | |
"1": dup476, | |
}, | |
}; | |
var map_dstDirName = { | |
keyvaluepairs: { | |
"0": dup476, | |
"1": dup477, | |
}, | |
}; | |
var map_dir2SumType = { | |
keyvaluepairs: { | |
"0": constant("2"), | |
"1": constant("3"), | |
}, | |
"default": constant("0"), | |
}; | |
var map_dir2Address = { | |
keyvaluepairs: { | |
"0": field("saddr"), | |
"1": field("daddr"), | |
}, | |
"default": field("saddr"), | |
}; | |
var map_dir2Port = { | |
keyvaluepairs: { | |
"0": field("sport"), | |
"1": field("dport"), | |
}, | |
"default": field("sport"), | |
}; | |
var dup0 = set_field({ | |
dest: "nwparser.messageid", | |
value: constant("CISCOASA_GENERIC"), | |
}); | |
var dup1 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601000000"), | |
}); | |
var dup2 = call({ | |
dest: "nwparser.level", | |
fn: HDR, | |
args: [ | |
field("level"), | |
], | |
}); | |
var dup3 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dN,dU,dO], | |
}); | |
var dup4 = set_field({ | |
dest: "nwparser.msg", | |
value: field("$MSG"), | |
}); | |
var dup5 = call({ | |
dest: "nwparser.id", | |
fn: HDR, | |
args: [ | |
field("messageid"), | |
], | |
}); | |
var dup6 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501050100"), | |
}); | |
var dup7 = set_field({ | |
dest: "nwparser.event_type", | |
value: constant("VPN"), | |
}); | |
var dup8 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Static Crypto Map check"), | |
}); | |
var dup9 = match({ | |
id: "MESSAGE#1042:715077/0", | |
dissect: { | |
tokenizer: "%{->}Group = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup10 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603000000"), | |
}); | |
var dup11 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Encryption"), | |
}); | |
var dup12 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("CryptoKey"), | |
}); | |
var dup13 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Modify"), | |
}); | |
var dup14 = call({ | |
dest: "nwparser.", | |
fn: SYSVAL, | |
args: [ | |
field("$MSGID"), | |
field("$ID1"), | |
], | |
}); | |
var dup15 = match({ | |
id: "MESSAGE#192:113015/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup16 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1301000000"), | |
}); | |
var dup17 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("User"), | |
}); | |
var dup18 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Authentication"), | |
}); | |
var dup19 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Failure"), | |
}); | |
var dup20 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605000000"), | |
}); | |
var dup21 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801000000"), | |
}); | |
var dup22 = match({ | |
id: "MESSAGE#872:713066/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup23 = linear_select([ | |
match({ | |
id: "MESSAGE#872:713066/2", | |
dissect: { | |
tokenizer: "'%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#872:713066/2", | |
dissect: { | |
tokenizer: "%{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup24 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204020000"), | |
}); | |
var dup25 = date_time({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmt: [dB,dF,dW,dH,dT,dS], | |
}); | |
var dup26 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020100"), | |
}); | |
var dup27 = call({ | |
dest: "nwparser.inout", | |
fn: DIRCHK, | |
args: [ | |
field("saddr"), | |
], | |
}); | |
var dup28 = lookup({ | |
dest: "nwparser.src_zone", | |
map: map_srcDirName, | |
key: field("inout"), | |
}); | |
var dup29 = lookup({ | |
dest: "nwparser.dst_zone", | |
map: map_dstDirName, | |
key: field("inout"), | |
}); | |
var dup30 = call({ | |
dest: "nwparser.sigcat", | |
fn: SYSVAL, | |
args: [ | |
field("$CATEGORY"), | |
], | |
}); | |
var dup31 = match({ | |
id: "MESSAGE#719:602304/0", | |
dissect: { | |
tokenizer: "%{service->}: An %{direction->} SA (SPI= %{fld1->}) between %{saddr->} and %{daddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup32 = linear_select([ | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "(user=%{username->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "(%{username->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "'%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "%{username->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup33 = match({ | |
id: "MESSAGE#719:602304/2", | |
dissect: { | |
tokenizer: "%{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup34 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030100"), | |
}); | |
var dup35 = date_times({ | |
dest: "event_time", | |
args: ["month","day","year","hhour","hmin","hsec"], | |
fmts: [ | |
[dB,dF,dW,dN,dU,dO], | |
[dB,dF,dN,dU,dO], | |
], | |
}); | |
var dup36 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801030000"), | |
}); | |
var dup37 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1604000000"), | |
}); | |
var dup38 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Configuration"), | |
}); | |
var dup39 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Configuration"), | |
}); | |
var dup40 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Success"), | |
}); | |
var dup41 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010000"), | |
}); | |
var dup42 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("ALM"), | |
}); | |
var dup43 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("NetworkComm"), | |
}); | |
var dup44 = match({ | |
id: "MESSAGE#921:713194/0", | |
dissect: { | |
tokenizer: "%{->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup45 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup46 = match({ | |
id: "MESSAGE#921:713194/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup47 = linear_select([ | |
match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup48 = match({ | |
id: "MESSAGE#1020:715048/2", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup49 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603010000"), | |
}); | |
var dup50 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603040000"), | |
}); | |
var dup51 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1703000000"), | |
}); | |
var dup52 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020200"), | |
}); | |
var dup53 = match({ | |
id: "MESSAGE#1250:737031/0", | |
dissect: { | |
tokenizer: "%{process->}: %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup54 = linear_select([ | |
match({ | |
id: "MESSAGE#1250:737031/2", | |
dissect: { | |
tokenizer: "Session=%{sessionid->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup55 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801010100"), | |
}); | |
var dup56 = set_field({ | |
dest: "nwparser.service", | |
value: constant("IPSEC"), | |
}); | |
var dup57 = match({ | |
id: "MESSAGE#700:505015/1", | |
dissect: { | |
tokenizer: "%{application->}\", %{info->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup58 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605020000"), | |
}); | |
var dup59 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701060000"), | |
}); | |
var dup60 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Enable"), | |
}); | |
var dup61 = linear_select([ | |
match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "'%{username->}' from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "%{username->} from %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup62 = match({ | |
id: "MESSAGE#128:109007/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup63 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401060000"), | |
}); | |
var dup64 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Permit"), | |
}); | |
var dup65 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("AccessControl"), | |
}); | |
var dup66 = linear_select([ | |
match({ | |
id: "MESSAGE#351:304001/2", | |
dissect: { | |
tokenizer: "'%{username->}' @%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#351:304001/2", | |
dissect: { | |
tokenizer: "%{username->} @%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup67 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1204010000"), | |
}); | |
var dup68 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Accessed"), | |
}); | |
var dup69 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("HTTP"), | |
}); | |
var dup70 = call({ | |
dest: "nwparser.urldomain", | |
fn: URL, | |
args: [ | |
field("$DOMAIN"), | |
field("url"), | |
], | |
}); | |
var dup71 = call({ | |
dest: "nwparser.urlroot", | |
fn: URL, | |
args: [ | |
field("$ROOT"), | |
field("url"), | |
], | |
}); | |
var dup72 = call({ | |
dest: "nwparser.urlpage", | |
fn: URL, | |
args: [ | |
field("$PAGE"), | |
field("url"), | |
], | |
}); | |
var dup73 = call({ | |
dest: "nwparser.urlquery", | |
fn: URL, | |
args: [ | |
field("$QUERY"), | |
field("url"), | |
], | |
}); | |
var dup74 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001020300"), | |
}); | |
var dup75 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603110000"), | |
}); | |
var dup76 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030300"), | |
}); | |
var dup77 = match({ | |
id: "MESSAGE#1046:716002/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c%{group->}> User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup78 = linear_select([ | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "'%{username->}' IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1046:716002/2", | |
dissect: { | |
tokenizer: "%{username->} IP \u003c\u003c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup79 = match({ | |
id: "MESSAGE#992:715006/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup80 = linear_select([ | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}', IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->}, %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup81 = match({ | |
id: "MESSAGE#992:715006/2", | |
dissect: { | |
tokenizer: "%{action->}: SPI = %{dst_spi->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup82 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020100"), | |
}); | |
var dup83 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1304000000"), | |
}); | |
var dup84 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050200"), | |
}); | |
var dup85 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1002000000"), | |
}); | |
var dup86 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1303000000"), | |
}); | |
var dup87 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Error"), | |
}); | |
var dup88 = match({ | |
id: "MESSAGE#804:702201:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 delete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup89 = linear_select([ | |
match({ | |
id: "MESSAGE#804:702201:01/2", | |
dissect: { | |
tokenizer: "d%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup90 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 delete received"), | |
}); | |
var dup91 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Remote peer has failed user authentication"), | |
}); | |
var dup92 = linear_select([ | |
match({ | |
id: "MESSAGE#1196:725009:01/2", | |
dissect: { | |
tokenizer: "server%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1196:725009:01/2", | |
dissect: { | |
tokenizer: "client%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup93 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device proposes cipher(s)"), | |
}); | |
var dup94 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805020000"), | |
}); | |
var dup95 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805000000"), | |
}); | |
var dup96 = match({ | |
id: "MESSAGE#143:109019/0", | |
dissect: { | |
tokenizer: "Downloaded ACL %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup97 = match({ | |
id: "MESSAGE#143:109019/2", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup98 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501040000"), | |
}); | |
var dup99 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Deny"), | |
}); | |
var dup100 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Authorization denied"), | |
}); | |
var dup101 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803010000"), | |
}); | |
var dup102 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("Communication"), | |
}); | |
var dup103 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("session limit exceeded"), | |
}); | |
var dup104 = linear_select([ | |
match({ | |
id: "MESSAGE#170:111006/2", | |
dissect: { | |
tokenizer: "'%{username->}' at %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#170:111006/2", | |
dissect: { | |
tokenizer: "%{username->} at %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup105 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401050100"), | |
}); | |
var dup106 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logon"), | |
}); | |
var dup107 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701030000"), | |
}); | |
var dup108 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Delete"), | |
}); | |
var dup109 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1103000000"), | |
}); | |
var dup110 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("No translation group found"), | |
}); | |
var dup111 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("icmp"), | |
}); | |
var dup112 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Web Cache acquired"), | |
}); | |
var dup113 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1002020000"), | |
}); | |
var dup114 = match({ | |
id: "MESSAGE#291:302012/0", | |
dissect: { | |
tokenizer: "%{->}Pre%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup115 = linear_select([ | |
match({ | |
id: "MESSAGE#291:302012/2", | |
dissect: { | |
tokenizer: "-%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup116 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Connection pre-allocated"), | |
}); | |
var dup117 = linear_select([ | |
match({ | |
id: "MESSAGE#751:610101/2", | |
dissect: { | |
tokenizer: "ed%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#751:610101/2", | |
dissect: { | |
tokenizer: "ure%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup118 = match({ | |
id: "MESSAGE#591:405102/0", | |
dissect: { | |
tokenizer: "Unable to Pre%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup119 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "oreign_address%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "addr%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup120 = match({ | |
id: "MESSAGE#591:405102/4", | |
dissect: { | |
tokenizer: "%{->} %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup121 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/6", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to l%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/6", | |
dissect: { | |
tokenizer: "%{saddr->} to l%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup122 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "ocal_address%{p6->}", | |
field: "nwparser.p5", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "addr%{p6->}", | |
field: "nwparser.p5", | |
}, | |
}), | |
]); | |
var dup123 = match({ | |
id: "MESSAGE#591:405102/7", | |
dissect: { | |
tokenizer: "%{->} %{p7->}", | |
field: "nwparser.p6", | |
}, | |
}); | |
var dup124 = linear_select([ | |
match({ | |
id: "MESSAGE#591:405102/8", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} ", | |
field: "nwparser.p7", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#591:405102/8", | |
dissect: { | |
tokenizer: "%{daddr->} ", | |
field: "nwparser.p7", | |
}, | |
}), | |
]); | |
var dup125 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Unable to create new connection"), | |
}); | |
var dup126 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1501000000"), | |
}); | |
var dup127 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT configured"), | |
}); | |
var dup128 = match({ | |
id: "MESSAGE#712:602202:01/0", | |
dissect: { | |
tokenizer: "ISAKMP session connect%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup129 = linear_select([ | |
match({ | |
id: "MESSAGE#712:602202:01/2", | |
dissect: { | |
tokenizer: "ed%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup130 = match({ | |
id: "MESSAGE#712:602202:01/2", | |
dissect: { | |
tokenizer: "%{->}(local %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup131 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("ISAKMP session connected"), | |
}); | |
var dup132 = match({ | |
id: "MESSAGE#713:602202/2", | |
dissect: { | |
tokenizer: "%{->}(local %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup133 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Message"), | |
}); | |
var dup134 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Receive"), | |
}); | |
var dup135 = linear_select([ | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "Console end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "console end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "%{hostip->} end configuration: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup136 = match({ | |
id: "MESSAGE#168:111004/2", | |
dissect: { | |
tokenizer: "%{disposition->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup137 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Stop"), | |
}); | |
var dup138 = match({ | |
id: "MESSAGE#960:713903/2", | |
dissect: { | |
tokenizer: "%{saddr->} , %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup139 = match({ | |
id: "MESSAGE#961:713903:01/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup140 = match({ | |
id: "MESSAGE#961:713903:01/2", | |
dissect: { | |
tokenizer: "Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup141 = match({ | |
id: "MESSAGE#963:713903:03/0", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup142 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1802000000"), | |
}); | |
var dup143 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Logoff"), | |
}); | |
var dup144 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Succeeded"), | |
}); | |
var dup145 = constant("Failed"); | |
var dup146 = match({ | |
id: "MESSAGE#313:302016:05/0", | |
dissect: { | |
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup147 = linear_select([ | |
match({ | |
id: "MESSAGE#313:302016:05/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld7->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#313:302016:05/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup148 = call({ | |
dest: "nwparser.duration", | |
fn: DUR, | |
args: [ | |
constant("%N:%U:%O"), | |
field("duration"), | |
], | |
}); | |
var dup149 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown connection"), | |
}); | |
var dup150 = linear_select([ | |
match({ | |
id: "MESSAGE#314:302016:07/1", | |
dissect: { | |
tokenizer: "%{bytes->} (%{username->})", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#314:302016:07/1", | |
dissect: { | |
tokenizer: "%{bytes->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup151 = linear_select([ | |
match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup152 = match({ | |
id: "MESSAGE#316:302016:06/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup153 = match({ | |
id: "MESSAGE#316:302016:06/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup154 = match({ | |
id: "MESSAGE#317:302016/4", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} duration %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup155 = match({ | |
id: "MESSAGE#318:302016:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup156 = match({ | |
id: "MESSAGE#318:302016:01/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup157 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701000000"), | |
}); | |
var dup158 = match({ | |
id: "MESSAGE#1165:722029/2", | |
dissect: { | |
tokenizer: "%{saddr->}> SVC Session Termination:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup159 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SVC Session Termination"), | |
}); | |
var dup160 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613030100"), | |
}); | |
var dup161 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1702030000"), | |
}); | |
var dup162 = match({ | |
id: "MESSAGE#550:401002/0", | |
dissect: { | |
tokenizer: "%{->}Shun%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup163 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701010000"), | |
}); | |
var dup164 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Create"), | |
}); | |
var dup165 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603020000"), | |
}); | |
var dup166 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701020000"), | |
}); | |
var dup167 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("Failed"), | |
}); | |
var dup168 = match({ | |
id: "MESSAGE#1184:724004/2", | |
dissect: { | |
tokenizer: "%{hostip->}> Secure Desktop Results: %{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup169 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1704010000"), | |
}); | |
var dup170 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("UDP"), | |
}); | |
var dup171 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401030000"), | |
}); | |
var dup172 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("login session failure"), | |
}); | |
var dup173 = match({ | |
id: "MESSAGE#1024:715052/2", | |
dissect: { | |
tokenizer: "%{result->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup174 = match({ | |
id: "MESSAGE#971:713905/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{event_description->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup175 = linear_select([ | |
match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#972:713905:01/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup176 = match({ | |
id: "MESSAGE#974:713905:03/0", | |
dissect: { | |
tokenizer: "Username = %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup177 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embyonic connection limit exceeded"), | |
}); | |
var dup178 = set_field({ | |
dest: "nwparser.ec_outcome", | |
value: constant("Unknown"), | |
}); | |
var dup179 = match({ | |
id: "MESSAGE#150:109025/0", | |
dissect: { | |
tokenizer: "Authorization denied (acl=%{listnum->}) for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup180 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803000000"), | |
}); | |
var dup181 = match({ | |
id: "MESSAGE#1172:722037/0", | |
dissect: { | |
tokenizer: "Group \u003c\u003c %{group->} > User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup182 = linear_select([ | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "'%{username->}' IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1172:722037/2", | |
dissect: { | |
tokenizer: "%{username->} IP \u003c\u003c %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup183 = match({ | |
id: "MESSAGE#475:338005/0", | |
dissect: { | |
tokenizer: "Dynamic %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup184 = linear_select([ | |
match({ | |
id: "MESSAGE#475:338005/2", | |
dissect: { | |
tokenizer: "F%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#475:338005/2", | |
dissect: { | |
tokenizer: "f%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup185 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("translation creation failed"), | |
}); | |
var dup186 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1608000000"), | |
}); | |
var dup187 = linear_select([ | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "\"%{username->}\" ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#736:605004/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup188 = constant("Login denied"); | |
var dup189 = match({ | |
id: "MESSAGE#1151:721016/0", | |
dissect: { | |
tokenizer: "(WebVPN-%{context->}) %{event_description->} user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup190 = linear_select([ | |
match({ | |
id: "MESSAGE#1151:721016/2", | |
dissect: { | |
tokenizer: "'%{username->}' , IP %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1151:721016/2", | |
dissect: { | |
tokenizer: "%{username->} , IP %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup191 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Authorization denied"), | |
}); | |
var dup192 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("inbound"), | |
}); | |
var dup193 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("build connection"), | |
}); | |
var dup194 = set_field({ | |
dest: "nwparser.direction", | |
value: constant("outbound"), | |
}); | |
var dup195 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603050000"), | |
}); | |
var dup196 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection denied"), | |
}); | |
var dup197 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{protocol->} for user '%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{protocol->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup198 = match({ | |
id: "MESSAGE#104:106102:02/2", | |
dissect: { | |
tokenizer: "%{sinterface->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup199 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{saddr->}(%{sport->}) -> %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{saddr->} %{sport->} %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup200 = match({ | |
id: "MESSAGE#104:106102:02/4", | |
dissect: { | |
tokenizer: "%{dinterface->}/%{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup201 = linear_select([ | |
match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{daddr->}(%{dport->}) hit-cnt %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{daddr->} %{dport->} hit-cnt %{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup202 = match({ | |
id: "MESSAGE#104:106102:02/6", | |
dissect: { | |
tokenizer: "%{dclass_counter1->} %{info->}", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup203 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("HitCount"), | |
}); | |
var dup204 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1801020000"), | |
}); | |
var dup205 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Freeing local pool address"), | |
}); | |
var dup206 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030305"), | |
}); | |
var dup207 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1606000000"), | |
}); | |
var dup208 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup209 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup210 = match({ | |
id: "MESSAGE#1037:715065/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup211 = match({ | |
id: "MESSAGE#1216:734003:01/0", | |
dissect: { | |
tokenizer: "%{process->}: User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup212 = linear_select([ | |
match({ | |
id: "MESSAGE#1216:734003:01/2", | |
dissect: { | |
tokenizer: "'%{username->}' , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1216:734003:01/2", | |
dissect: { | |
tokenizer: "%{username->} , Addr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup213 = match({ | |
id: "MESSAGE#474:338004/2", | |
dissect: { | |
tokenizer: "ilter %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup214 = linear_select([ | |
match({ | |
id: "MESSAGE#474:338004/4", | |
dissect: { | |
tokenizer: "permitt%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#474:338004/4", | |
dissect: { | |
tokenizer: "monitor%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup215 = linear_select([ | |
match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "'%{username->}' Priv: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "%{username->} Priv: %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup216 = match({ | |
id: "MESSAGE#681:502102/2", | |
dissect: { | |
tokenizer: "%{fld1->} Encpass: %{fld2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup217 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("UserGroup"), | |
}); | |
var dup218 = match({ | |
id: "MESSAGE#706:602101/2", | |
dissect: { | |
tokenizer: "s%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup219 = match({ | |
id: "MESSAGE#293:302013/0", | |
dissect: { | |
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup220 = linear_select([ | |
match({ | |
id: "MESSAGE#293:302013/2", | |
dissect: { | |
tokenizer: "%{stransport->})(%{domain->}\\%{fld3->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#293:302013/2", | |
dissect: { | |
tokenizer: "%{stransport->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup221 = match({ | |
id: "MESSAGE#294:302013:01/0", | |
dissect: { | |
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup222 = linear_select([ | |
match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "'%{username->}'%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "(%{username->})%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup223 = match({ | |
id: "MESSAGE#294:302013:01/2", | |
dissect: { | |
tokenizer: "%{->} ", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup224 = match({ | |
id: "MESSAGE#295:302013:02/2", | |
dissect: { | |
tokenizer: "%{stransport->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup225 = match({ | |
id: "MESSAGE#299:302013:06/2", | |
dissect: { | |
tokenizer: "%{dtransaddr->}/%{dtransport->})(%{domain->}\\%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup226 = match({ | |
id: "MESSAGE#299:302013:06/2", | |
dissect: { | |
tokenizer: "%{dtransaddr->}/%{dtransport->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup227 = linear_select([ | |
match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{fld2->}:%{saddr->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sinterface->}:%{saddr->}/%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup228 = match({ | |
id: "MESSAGE#299:302013:06/3", | |
dissect: { | |
tokenizer: "%{sport->} (%{stransaddr->}/%{stransport->})", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup229 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1805010000"), | |
}); | |
var dup230 = match({ | |
id: "MESSAGE#484:338202/2", | |
dissect: { | |
tokenizer: "ilter %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup231 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE lost contact with remote peer deleting connection"), | |
}); | |
var dup232 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKE Initiator New/Rekeying Phase"), | |
}); | |
var dup233 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Local pool request succeeded "), | |
}); | |
var dup234 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built translation"), | |
}); | |
var dup235 = linear_select([ | |
match({ | |
id: "MESSAGE#726:603107/2", | |
dissect: { | |
tokenizer: ",%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup236 = match({ | |
id: "MESSAGE#152:109027/2", | |
dissect: { | |
tokenizer: "i%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup237 = linear_select([ | |
match({ | |
id: "MESSAGE#152:109027/3", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#152:109027/3", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup238 = linear_select([ | |
match({ | |
id: "MESSAGE#189:113012/1", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#189:113012/1", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup239 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1001030200"), | |
}); | |
var dup240 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("FTP connection terminated"), | |
}); | |
var dup241 = match({ | |
id: "MESSAGE#1031:715059/2", | |
dissect: { | |
tokenizer: "%{saddr->}, %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup242 = linear_select([ | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup243 = match({ | |
id: "MESSAGE#855:713024/2", | |
dissect: { | |
tokenizer: "%{action->}:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup244 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613040200"), | |
}); | |
var dup245 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Rekeying duration changed"), | |
}); | |
var dup246 = match({ | |
id: "MESSAGE#810:702204:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 retransmi%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup247 = linear_select([ | |
match({ | |
id: "MESSAGE#810:702204:01/2", | |
dissect: { | |
tokenizer: "ssion%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#810:702204:01/2", | |
dissect: { | |
tokenizer: "t%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup248 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 retransmission"), | |
}); | |
var dup249 = match({ | |
id: "MESSAGE#1187:725002/2", | |
dissect: { | |
tokenizer: "%{->} %{interface->}:%{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup250 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1613050100"), | |
}); | |
var dup251 = linear_select([ | |
match({ | |
id: "MESSAGE#219:201004:01/2", | |
dissect: { | |
tokenizer: "static%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#219:201004:01/2", | |
dissect: { | |
tokenizer: "xlate%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup252 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Login session failed"), | |
}); | |
var dup253 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User Authentication failed"), | |
}); | |
var dup254 = linear_select([ | |
]); | |
var dup255 = match({ | |
id: "MESSAGE#1198:725010/2", | |
dissect: { | |
tokenizer: ".%{->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup256 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1207010200"), | |
}); | |
var dup257 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("icmp packet denied"), | |
}); | |
var dup258 = set_field({ | |
dest: "nwparser.result", | |
value: constant("to/from mangement-only network"), | |
}); | |
var dup259 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("ICMP"), | |
}); | |
var dup260 = match({ | |
id: "MESSAGE#651:418001:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup261 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("packet denied"), | |
}); | |
var dup262 = match({ | |
id: "MESSAGE#174:111010/0", | |
dissect: { | |
tokenizer: "User %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup263 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1401040000"), | |
}); | |
var dup264 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1605010000"), | |
}); | |
var dup265 = linear_select([ | |
match({ | |
id: "MESSAGE#1243:737017/2", | |
dissect: { | |
tokenizer: "Session=%{sessionid->},%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup266 = linear_select([ | |
match({ | |
id: "MESSAGE#625:411005/2", | |
dissect: { | |
tokenizer: "I%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#625:411005/2", | |
dissect: { | |
tokenizer: "i%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup267 = linear_select([ | |
match({ | |
id: "MESSAGE#1163:722027/3", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) > %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1163:722027/3", | |
dissect: { | |
tokenizer: "%{saddr->} > %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup268 = linear_select([ | |
match({ | |
id: "MESSAGE#1163:722027/4", | |
dissect: { | |
tokenizer: "TCP %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1163:722027/4", | |
dissect: { | |
tokenizer: "UDP %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup269 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Policy installed"), | |
}); | |
var dup270 = linear_select([ | |
match({ | |
id: "MESSAGE#1161:722023/6", | |
dissect: { | |
tokenizer: "out%{p5->}", | |
field: "nwparser.p4", | |
}, | |
}), | |
]); | |
var dup271 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("request discarded"), | |
}); | |
var dup272 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1610000000"), | |
}); | |
var dup273 = linear_select([ | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1001:715021/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup274 = linear_select([ | |
match({ | |
id: "MESSAGE#96:106027/1", | |
dissect: { | |
tokenizer: "\"%{rule_group->}\" ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#96:106027/1", | |
dissect: { | |
tokenizer: "%{rule_group->} ", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup275 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-group"), | |
}); | |
var dup276 = match({ | |
id: "MESSAGE#385:305013/2", | |
dissect: { | |
tokenizer: "%{sport->}(%{domain->}\\%{username->}) dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup277 = match({ | |
id: "MESSAGE#385:305013/2", | |
dissect: { | |
tokenizer: "%{sport->} dst %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup278 = set_field({ | |
dest: "nwparser.result", | |
value: constant("due to NAT reverse path failure"), | |
}); | |
var dup279 = linear_select([ | |
match({ | |
id: "MESSAGE#552:401004/2", | |
dissect: { | |
tokenizer: "ned%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup280 = linear_select([ | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#989:714011/2", | |
dissect: { | |
tokenizer: "IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup281 = match({ | |
id: "MESSAGE#302:302014:03/3", | |
dissect: { | |
tokenizer: "%{->} %{result->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup282 = match({ | |
id: "MESSAGE#303:302014:02/1", | |
dissect: { | |
tokenizer: "(%{result->}) ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup283 = match({ | |
id: "MESSAGE#304:302014:04/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{domain->}\\%{fld3->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup284 = linear_select([ | |
match({ | |
id: "MESSAGE#304:302014:04/3", | |
dissect: { | |
tokenizer: "%{info->} (%{username->})", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#304:302014:04/3", | |
dissect: { | |
tokenizer: "%{info->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup285 = match({ | |
id: "MESSAGE#307:302014:01/1", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup286 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("NAT exemption configured"), | |
}); | |
var dup287 = match({ | |
id: "MESSAGE#824:702211:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 2 exchange complete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup288 = match({ | |
id: "MESSAGE#824:702211:01/2", | |
dissect: { | |
tokenizer: "%{->} %{saddr->} (initiator), remote %{daddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup289 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange completed"), | |
}); | |
var dup290 = match({ | |
id: "MESSAGE#825:702211/2", | |
dissect: { | |
tokenizer: "%{->} %{daddr->} (responder), remote %{saddr->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup291 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("authentication failed"), | |
}); | |
var dup292 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1302000000"), | |
}); | |
var dup293 = set_field({ | |
dest: "nwparser.ec_subject", | |
value: constant("Certificate"), | |
}); | |
var dup294 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("connection dropped"), | |
}); | |
var dup295 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("teardown translation"), | |
}); | |
var dup296 = linear_select([ | |
match({ | |
id: "MESSAGE#383:305012/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->}(%{fld51->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#383:305012/2", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup297 = linear_select([ | |
match({ | |
id: "MESSAGE#384:305012:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}(%{fld52->}):%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#384:305012:01/2", | |
dissect: { | |
tokenizer: "%{dinterface->}:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup298 = match({ | |
id: "MESSAGE#629:413003/2", | |
dissect: { | |
tokenizer: ".%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup299 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IPS request to drop packet"), | |
}); | |
var dup300 = match({ | |
id: "MESSAGE#860:713035/2", | |
dissect: { | |
tokenizer: "%{saddr->} , %{action->}:%{info->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup301 = constant("Routing failed to locate next-hop"); | |
var dup302 = set_field({ | |
dest: "nwparser.disposition", | |
value: constant("failed"), | |
}); | |
var dup303 = match({ | |
id: "MESSAGE#1016:715046:01/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup304 = match({ | |
id: "MESSAGE#1016:715046:01/1", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup305 = linear_select([ | |
match({ | |
id: "MESSAGE#1021:715049:01/1", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1021:715049:01/1", | |
dissect: { | |
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}), | |
]); | |
var dup306 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Teardown connection"), | |
}); | |
var dup307 = match({ | |
id: "MESSAGE#340:302026/0", | |
dissect: { | |
tokenizer: "Built %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup308 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "backup%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup309 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "director%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup310 = match({ | |
id: "MESSAGE#340:302026/2", | |
dissect: { | |
tokenizer: "%{->}stub %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{fld1->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld2->})", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup311 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Built connection"), | |
}); | |
var dup312 = match({ | |
id: "MESSAGE#559:402116/0", | |
dissect: { | |
tokenizer: "IPSEC: Received an ESP packet (SPI= %{dst_spi->}, sequence number= %{fld2->}) from %{saddr->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup313 = linear_select([ | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "(user=%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "(%{username->}) to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "'%{username->}' to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#559:402116/2", | |
dissect: { | |
tokenizer: "%{username->} to %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup314 = match({ | |
id: "MESSAGE#381:305011:01/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup315 = linear_select([ | |
match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "'%{username->}' Type:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "%{username->} Type:%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup316 = match({ | |
id: "MESSAGE#684:502112/2", | |
dissect: { | |
tokenizer: "%{fld1->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup317 = set_field({ | |
dest: "nwparser.result", | |
value: constant("User authentication succeeded"), | |
}); | |
var dup318 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("SSL server requesting certificate for authentication"), | |
}); | |
var dup319 = call({ | |
dest: "nwparser.bytes", | |
fn: CALC, | |
args: [ | |
field("sbytes"), | |
constant("+"), | |
field("rbytes"), | |
], | |
}); | |
var dup320 = set_field({ | |
dest: "nwparser.ec_theme", | |
value: constant("TEV"), | |
}); | |
var dup321 = match({ | |
id: "MESSAGE#419:315011/0", | |
dissect: { | |
tokenizer: "SSH session from %{saddr->} on interface %{interface->} for user %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup322 = match({ | |
id: "MESSAGE#622:411002/2", | |
dissect: { | |
tokenizer: "nterface %{interface->} %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup323 = linear_select([ | |
match({ | |
id: "MESSAGE#622:411002/3", | |
dissect: { | |
tokenizer: ", %{result->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#622:411002/3", | |
dissect: { | |
tokenizer: "%{result->} ", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup324 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1603030000"), | |
}); | |
var dup325 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Denied IPv6-ICMP"), | |
}); | |
var dup326 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1604010000"), | |
}); | |
var dup327 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Read"), | |
}); | |
var dup328 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Device chooses cipher for the SSL session"), | |
}); | |
var dup329 = match({ | |
id: "MESSAGE#870:713218/2", | |
dissect: { | |
tokenizer: "%{saddr->}, Tunnel Rejected: %{action->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup330 = set_field({ | |
dest: "nwparser.result", | |
value: constant("Tunnel Rejected"), | |
}); | |
var dup331 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1901000000"), | |
}); | |
var dup332 = set_field({ | |
dest: "nwparser.id", | |
value: field("p_msgid"), | |
}); | |
var dup333 = set_field({ | |
dest: "nwparser.msg_id", | |
value: field("p_msgid"), | |
}); | |
var dup334 = set_field({ | |
dest: "nwparser.vid", | |
value: field("p_msgid"), | |
}); | |
var dup335 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("IKEGetUserAttributes"), | |
}); | |
var dup336 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Invalid destination"), | |
}); | |
var dup337 = set_field({ | |
dest: "nwparser.result", | |
value: constant("all servers failed"), | |
}); | |
var dup338 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1607000000"), | |
}); | |
var dup339 = match({ | |
id: "MESSAGE#975:713906:01/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup340 = match({ | |
id: "MESSAGE#975:713906:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} Proxy Id:%{fld1->} Remote host: %{hostname->} Protocol %{protocol->} Port %{port->} Local subnet: %{fld2->} mask %{mask->} Protocol %{fld3->} Port %{fld4->} ", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup341 = match({ | |
id: "MESSAGE#976:713906:03/0", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup342 = match({ | |
id: "MESSAGE#977:713906/0", | |
dissect: { | |
tokenizer: "IP = %{saddr->},%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup343 = linear_select([ | |
match({ | |
id: "MESSAGE#191:113014/2", | |
dissect: { | |
tokenizer: "entic%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#191:113014/2", | |
dissect: { | |
tokenizer: "oriz%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup344 = match({ | |
id: "MESSAGE#797:620001:01/2", | |
dissect: { | |
tokenizer: "C%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup345 = linear_select([ | |
match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{saddr->}/%{sport->} to %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{saddr->} to %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup346 = match({ | |
id: "MESSAGE#797:620001:01/4", | |
dissect: { | |
tokenizer: "%{dinterface->}: %{p4->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup347 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Pre-allocate connection"), | |
}); | |
var dup348 = match({ | |
id: "MESSAGE#325:302020/3", | |
dissect: { | |
tokenizer: "%{hostip->} laddr %{p2->}", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup349 = match({ | |
id: "MESSAGE#326:302020:04/1", | |
dissect: { | |
tokenizer: "%{sport->} type %{icmptype->} code %{icmpcode->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup350 = match({ | |
id: "MESSAGE#326:302020:04/1", | |
dissect: { | |
tokenizer: "%{sport->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup351 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1611000000"), | |
}); | |
var dup352 = match({ | |
id: "MESSAGE#1153:722001/0", | |
dissect: { | |
tokenizer: "IP %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup353 = linear_select([ | |
match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{saddr->} (%{fld1->}) %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{saddr->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup354 = match({ | |
id: "MESSAGE#1153:722001/2", | |
dissect: { | |
tokenizer: "%{event_description->}.", | |
field: "nwparser.p1", | |
}, | |
}); | |
var dup355 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1601010000"), | |
}); | |
var dup356 = set_field({ | |
dest: "nwparser.result", | |
value: constant("hardware accelerator error"), | |
}); | |
var dup357 = match({ | |
id: "MESSAGE#59:106002/0", | |
dissect: { | |
tokenizer: "%{protocol->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup358 = linear_select([ | |
match({ | |
id: "MESSAGE#59:106002/2", | |
dissect: { | |
tokenizer: "C%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#59:106002/2", | |
dissect: { | |
tokenizer: "c%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup359 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1803020000"), | |
}); | |
var dup360 = match({ | |
id: "MESSAGE#814:702206:01/0", | |
dissect: { | |
tokenizer: "ISAKMP malform%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup361 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("malformed payload received"), | |
}); | |
var dup362 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("User executed command"), | |
}); | |
var dup363 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Testing Interface"), | |
}); | |
var dup364 = set_field({ | |
dest: "nwparser.protocol", | |
value: constant("TCP"), | |
}); | |
var dup365 = linear_select([ | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->}, Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#867:713050/2", | |
dissect: { | |
tokenizer: "%{group->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup366 = match({ | |
id: "MESSAGE#346:303002:02/2", | |
dissect: { | |
tokenizer: "'%{username->}' %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup367 = match({ | |
id: "MESSAGE#346:303002:02/2", | |
dissect: { | |
tokenizer: "%{username->} %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup368 = match({ | |
id: "MESSAGE#489:338303/2", | |
dissect: { | |
tokenizer: ",%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup369 = linear_select([ | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{hostip->}/%{fld4->} laddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{hostip->} laddr %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup370 = linear_select([ | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}(%{username->})", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->} %{username->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#331:302021/2", | |
dissect: { | |
tokenizer: "%{daddr->}/%{dport->}", | |
field: "nwparser.p1", | |
}, | |
}), | |
]); | |
var dup371 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("denied by access-list"), | |
}); | |
var dup372 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Session terminated"), | |
}); | |
var dup373 = linear_select([ | |
match({ | |
id: "MESSAGE#133:109012/2", | |
dissect: { | |
tokenizer: "'%{username->}' , sid %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#133:109012/2", | |
dissect: { | |
tokenizer: "%{username->} , sid %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup374 = match({ | |
id: "MESSAGE#822:702210:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 exchange complete%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup375 = set_field({ | |
dest: "nwparser.eventcategory", | |
value: constant("1701070000"), | |
}); | |
var dup376 = set_field({ | |
dest: "nwparser.ec_activity", | |
value: constant("Disable"), | |
}); | |
var dup377 = match({ | |
id: "MESSAGE#617:410001/0", | |
dissect: { | |
tokenizer: "Dropped UDP DNS re%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup378 = linear_select([ | |
match({ | |
id: "MESSAGE#617:410001/2", | |
dissect: { | |
tokenizer: "ply%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#617:410001/2", | |
dissect: { | |
tokenizer: "quest%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup379 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "packet%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup380 = match({ | |
id: "MESSAGE#617:410001/4", | |
dissect: { | |
tokenizer: "label%{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup381 = match({ | |
id: "MESSAGE#617:410001/6", | |
dissect: { | |
tokenizer: "%{->}limit of %{fld2->} bytes", | |
field: "nwparser.p5", | |
}, | |
}); | |
var dup382 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Dropped DNS UDP packet - length exceeded"), | |
}); | |
var dup383 = match({ | |
id: "MESSAGE#185:113009/0", | |
dissect: { | |
tokenizer: "AAA retrieved default group policy %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup384 = linear_select([ | |
match({ | |
id: "MESSAGE#185:113009/4", | |
dissect: { | |
tokenizer: "'%{username->}' ", | |
field: "nwparser.p3", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#185:113009/4", | |
dissect: { | |
tokenizer: "%{username->} ", | |
field: "nwparser.p3", | |
}, | |
}), | |
]); | |
var dup385 = set_field({ | |
dest: "nwparser.result", | |
value: constant("retrieved default group policy"), | |
}); | |
var dup386 = match({ | |
id: "MESSAGE#878:713075/3", | |
dissect: { | |
tokenizer: "%{event_description->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup387 = linear_select([ | |
match({ | |
id: "MESSAGE#1008:715036:01/1", | |
dissect: { | |
tokenizer: "%{event_description->} (seq number %{fld1->}) ", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#1008:715036:01/1", | |
dissect: { | |
tokenizer: "%{->} %{event_description->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup388 = match({ | |
id: "MESSAGE#957:713902/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup389 = match({ | |
id: "MESSAGE#957:713902/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}); | |
var dup390 = linear_select([ | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Group = %{group->}, IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Username = '%{username->}' , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#958:713902:02/2", | |
dissect: { | |
tokenizer: "Username = %{username->} , IP = %{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup391 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Embryonic limit exceeded"), | |
}); | |
var dup392 = set_field({ | |
dest: "nwparser.result", | |
value: constant("for through connections"), | |
}); | |
var dup393 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("duplicate packet detected"), | |
}); | |
var dup394 = set_field({ | |
dest: "nwparser.result", | |
value: constant("DHCP configured"), | |
}); | |
var dup395 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Received an ICMP Destination Unreachable"), | |
}); | |
var dup396 = set_field({ | |
dest: "nwparser.dclass_counter1_string", | |
value: constant("Hitcount"), | |
}); | |
var dup397 = match({ | |
id: "MESSAGE#100:106100:01/0", | |
dissect: { | |
tokenizer: "access-list %{listnum->} %{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup398 = linear_select([ | |
match({ | |
id: "MESSAGE#100:106100:01/2", | |
dissect: { | |
tokenizer: "est-allow%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#100:106100:01/2", | |
dissect: { | |
tokenizer: "permitt%{p1->}", | |
field: "nwparser.p0", | |
}, | |
}), | |
]); | |
var dup399 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{fld7->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup400 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dport->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}); | |
var dup401 = match({ | |
id: "MESSAGE#100:106100:01/4", | |
dissect: { | |
tokenizer: "%{dclass_counter1->} %{fld6->}", | |
field: "nwparser.p3", | |
}, | |
}); | |
var dup402 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("permitted"), | |
}); | |
var dup403 = linear_select([ | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{domain->}\\%{username->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->})(%{fld7->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
match({ | |
id: "MESSAGE#101:106100:02/4", | |
dissect: { | |
tokenizer: "%{dport->}) hit-cnt %{p3->}", | |
field: "nwparser.p2", | |
}, | |
}), | |
]); | |
var dup404 = match({ | |
id: "MESSAGE#818:702208:01/0", | |
dissect: { | |
tokenizer: "ISAKMP Phase 1 exchange start%{p0->}", | |
field: "nwparser.payload", | |
}, | |
}); | |
var dup405 = set_field({ | |
dest: "nwparser.event_description", | |
value: constant("Phase 1 exchange started"), | |
}); | |
var dup406 = set_field({ |