Skip to content

Instantly share code, notes, and snippets.

@adriansr
Created April 22, 2020 14:10
Show Gist options
  • Save adriansr/550c9c9c0105fedd1dbd62472a140247 to your computer and use it in GitHub Desktop.
Save adriansr/550c9c9c0105fedd1dbd62472a140247 to your computer and use it in GitHub Desktop.
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.
var processor = require("processor");
var console = require("console");
var device;
// Register params from configuration.
function register(params) {
device = new DeviceProcessor();
}
function process(evt) {
return device.process(evt);
}
function DeviceProcessor() {
var builder = new processor.Chain();
builder.Add(save_flags);
builder.Add(chain1);
builder.Add(restore_flags);
var chain = builder.Build();
return {
process: chain.Run,
}
}
var map_srcDirName = {
keyvaluepairs: {
"0": dup477,
"1": dup476,
},
};
var map_dstDirName = {
keyvaluepairs: {
"0": dup476,
"1": dup477,
},
};
var map_dir2SumType = {
keyvaluepairs: {
"0": constant("2"),
"1": constant("3"),
},
"default": constant("0"),
};
var map_dir2Address = {
keyvaluepairs: {
"0": field("saddr"),
"1": field("daddr"),
},
"default": field("saddr"),
};
var map_dir2Port = {
keyvaluepairs: {
"0": field("sport"),
"1": field("dport"),
},
"default": field("sport"),
};
var dup0 = set_field({
dest: "nwparser.messageid",
value: constant("CISCOASA_GENERIC"),
});
var dup1 = set_field({
dest: "nwparser.eventcategory",
value: constant("1601000000"),
});
var dup2 = call({
dest: "nwparser.level",
fn: HDR,
args: [
field("level"),
],
});
var dup3 = date_time({
dest: "event_time",
args: ["month","day","year","hhour","hmin","hsec"],
fmt: [dB,dF,dW,dN,dU,dO],
});
var dup4 = set_field({
dest: "nwparser.msg",
value: field("$MSG"),
});
var dup5 = call({
dest: "nwparser.id",
fn: HDR,
args: [
field("messageid"),
],
});
var dup6 = set_field({
dest: "nwparser.eventcategory",
value: constant("1501050100"),
});
var dup7 = set_field({
dest: "nwparser.event_type",
value: constant("VPN"),
});
var dup8 = set_field({
dest: "nwparser.event_description",
value: constant("Static Crypto Map check"),
});
var dup9 = match({
id: "MESSAGE#1042:715077/0",
dissect: {
tokenizer: "%{->}Group = %{p0->}",
field: "nwparser.payload",
},
});
var dup10 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603000000"),
});
var dup11 = set_field({
dest: "nwparser.ec_theme",
value: constant("Encryption"),
});
var dup12 = set_field({
dest: "nwparser.ec_subject",
value: constant("CryptoKey"),
});
var dup13 = set_field({
dest: "nwparser.ec_activity",
value: constant("Modify"),
});
var dup14 = call({
dest: "nwparser.",
fn: SYSVAL,
args: [
field("$MSGID"),
field("$ID1"),
],
});
var dup15 = match({
id: "MESSAGE#192:113015/1",
dissect: {
tokenizer: "%{username->} ",
field: "nwparser.p0",
},
});
var dup16 = set_field({
dest: "nwparser.eventcategory",
value: constant("1301000000"),
});
var dup17 = set_field({
dest: "nwparser.ec_subject",
value: constant("User"),
});
var dup18 = set_field({
dest: "nwparser.ec_theme",
value: constant("Authentication"),
});
var dup19 = set_field({
dest: "nwparser.ec_outcome",
value: constant("Failure"),
});
var dup20 = set_field({
dest: "nwparser.eventcategory",
value: constant("1605000000"),
});
var dup21 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801000000"),
});
var dup22 = match({
id: "MESSAGE#872:713066/0",
dissect: {
tokenizer: "Group = %{group->}, Username = %{p0->}",
field: "nwparser.payload",
},
});
var dup23 = linear_select([
match({
id: "MESSAGE#872:713066/2",
dissect: {
tokenizer: "'%{username->}' , IP = %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#872:713066/2",
dissect: {
tokenizer: "%{username->} , IP = %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup24 = set_field({
dest: "nwparser.eventcategory",
value: constant("1204020000"),
});
var dup25 = date_time({
dest: "event_time",
args: ["month","day","year","hhour","hmin","hsec"],
fmt: [dB,dF,dW,dH,dT,dS],
});
var dup26 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001020100"),
});
var dup27 = call({
dest: "nwparser.inout",
fn: DIRCHK,
args: [
field("saddr"),
],
});
var dup28 = lookup({
dest: "nwparser.src_zone",
map: map_srcDirName,
key: field("inout"),
});
var dup29 = lookup({
dest: "nwparser.dst_zone",
map: map_dstDirName,
key: field("inout"),
});
var dup30 = call({
dest: "nwparser.sigcat",
fn: SYSVAL,
args: [
field("$CATEGORY"),
],
});
var dup31 = match({
id: "MESSAGE#719:602304/0",
dissect: {
tokenizer: "%{service->}: An %{direction->} SA (SPI= %{fld1->}) between %{saddr->} and %{daddr->} %{p0->}",
field: "nwparser.payload",
},
});
var dup32 = linear_select([
match({
id: "MESSAGE#719:602304/2",
dissect: {
tokenizer: "(user=%{username->}) %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#719:602304/2",
dissect: {
tokenizer: "(%{username->}) %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#719:602304/2",
dissect: {
tokenizer: "'%{username->}' %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#719:602304/2",
dissect: {
tokenizer: "%{username->} %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup33 = match({
id: "MESSAGE#719:602304/2",
dissect: {
tokenizer: "%{action->}",
field: "nwparser.p1",
},
});
var dup34 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801030100"),
});
var dup35 = date_times({
dest: "event_time",
args: ["month","day","year","hhour","hmin","hsec"],
fmts: [
[dB,dF,dW,dN,dU,dO],
[dB,dF,dN,dU,dO],
],
});
var dup36 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801030000"),
});
var dup37 = set_field({
dest: "nwparser.eventcategory",
value: constant("1604000000"),
});
var dup38 = set_field({
dest: "nwparser.ec_theme",
value: constant("Configuration"),
});
var dup39 = set_field({
dest: "nwparser.ec_subject",
value: constant("Configuration"),
});
var dup40 = set_field({
dest: "nwparser.ec_outcome",
value: constant("Success"),
});
var dup41 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801010000"),
});
var dup42 = set_field({
dest: "nwparser.ec_theme",
value: constant("ALM"),
});
var dup43 = set_field({
dest: "nwparser.ec_subject",
value: constant("NetworkComm"),
});
var dup44 = match({
id: "MESSAGE#921:713194/0",
dissect: {
tokenizer: "%{->} %{p0->}",
field: "nwparser.payload",
},
});
var dup45 = match({
id: "MESSAGE#921:713194/2",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
});
var dup46 = match({
id: "MESSAGE#921:713194/2",
dissect: {
tokenizer: "IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
});
var dup47 = linear_select([
match({
id: "MESSAGE#1020:715048/2",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1020:715048/2",
dissect: {
tokenizer: "IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup48 = match({
id: "MESSAGE#1020:715048/2",
dissect: {
tokenizer: "%{event_description->}",
field: "nwparser.p1",
},
});
var dup49 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603010000"),
});
var dup50 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603040000"),
});
var dup51 = set_field({
dest: "nwparser.eventcategory",
value: constant("1703000000"),
});
var dup52 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001020200"),
});
var dup53 = match({
id: "MESSAGE#1250:737031/0",
dissect: {
tokenizer: "%{process->}: %{p0->}",
field: "nwparser.payload",
},
});
var dup54 = linear_select([
match({
id: "MESSAGE#1250:737031/2",
dissect: {
tokenizer: "Session=%{sessionid->}, %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup55 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801010100"),
});
var dup56 = set_field({
dest: "nwparser.service",
value: constant("IPSEC"),
});
var dup57 = match({
id: "MESSAGE#700:505015/1",
dissect: {
tokenizer: "%{application->}\", %{info->}",
field: "nwparser.p0",
},
});
var dup58 = set_field({
dest: "nwparser.eventcategory",
value: constant("1605020000"),
});
var dup59 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701060000"),
});
var dup60 = set_field({
dest: "nwparser.ec_activity",
value: constant("Enable"),
});
var dup61 = linear_select([
match({
id: "MESSAGE#128:109007/2",
dissect: {
tokenizer: "'%{username->}' from %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#128:109007/2",
dissect: {
tokenizer: "%{username->} from %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup62 = match({
id: "MESSAGE#128:109007/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{daddr->}/%{dport->} on interface %{interface->}",
field: "nwparser.p1",
},
});
var dup63 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401060000"),
});
var dup64 = set_field({
dest: "nwparser.ec_activity",
value: constant("Permit"),
});
var dup65 = set_field({
dest: "nwparser.ec_theme",
value: constant("AccessControl"),
});
var dup66 = linear_select([
match({
id: "MESSAGE#351:304001/2",
dissect: {
tokenizer: "'%{username->}' @%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#351:304001/2",
dissect: {
tokenizer: "%{username->} @%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup67 = set_field({
dest: "nwparser.eventcategory",
value: constant("1204010000"),
});
var dup68 = set_field({
dest: "nwparser.event_description",
value: constant("Accessed"),
});
var dup69 = set_field({
dest: "nwparser.protocol",
value: constant("HTTP"),
});
var dup70 = call({
dest: "nwparser.urldomain",
fn: URL,
args: [
field("$DOMAIN"),
field("url"),
],
});
var dup71 = call({
dest: "nwparser.urlroot",
fn: URL,
args: [
field("$ROOT"),
field("url"),
],
});
var dup72 = call({
dest: "nwparser.urlpage",
fn: URL,
args: [
field("$PAGE"),
field("url"),
],
});
var dup73 = call({
dest: "nwparser.urlquery",
fn: URL,
args: [
field("$QUERY"),
field("url"),
],
});
var dup74 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001020300"),
});
var dup75 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603110000"),
});
var dup76 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001030300"),
});
var dup77 = match({
id: "MESSAGE#1046:716002/0",
dissect: {
tokenizer: "Group \u003c\u003c%{group->}> User %{p0->}",
field: "nwparser.payload",
},
});
var dup78 = linear_select([
match({
id: "MESSAGE#1046:716002/2",
dissect: {
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1046:716002/2",
dissect: {
tokenizer: "'%{username->}' IP \u003c\u003c%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1046:716002/2",
dissect: {
tokenizer: "%{username->} IP \u003c\u003c%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup79 = match({
id: "MESSAGE#992:715006/0",
dissect: {
tokenizer: "Group = %{group->}, %{p0->}",
field: "nwparser.payload",
},
});
var dup80 = linear_select([
match({
id: "MESSAGE#992:715006/2",
dissect: {
tokenizer: "Username = '%{username->}', IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#992:715006/2",
dissect: {
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#992:715006/2",
dissect: {
tokenizer: "IP = %{saddr->}, %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup81 = match({
id: "MESSAGE#992:715006/2",
dissect: {
tokenizer: "%{action->}: SPI = %{dst_spi->}",
field: "nwparser.p1",
},
});
var dup82 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801020100"),
});
var dup83 = set_field({
dest: "nwparser.eventcategory",
value: constant("1304000000"),
});
var dup84 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401050200"),
});
var dup85 = set_field({
dest: "nwparser.eventcategory",
value: constant("1002000000"),
});
var dup86 = set_field({
dest: "nwparser.eventcategory",
value: constant("1303000000"),
});
var dup87 = set_field({
dest: "nwparser.ec_outcome",
value: constant("Error"),
});
var dup88 = match({
id: "MESSAGE#804:702201:01/0",
dissect: {
tokenizer: "ISAKMP Phase 1 delete%{p0->}",
field: "nwparser.payload",
},
});
var dup89 = linear_select([
match({
id: "MESSAGE#804:702201:01/2",
dissect: {
tokenizer: "d%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup90 = set_field({
dest: "nwparser.event_description",
value: constant("Phase 1 delete received"),
});
var dup91 = set_field({
dest: "nwparser.event_description",
value: constant("Remote peer has failed user authentication"),
});
var dup92 = linear_select([
match({
id: "MESSAGE#1196:725009:01/2",
dissect: {
tokenizer: "server%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1196:725009:01/2",
dissect: {
tokenizer: "client%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup93 = set_field({
dest: "nwparser.event_description",
value: constant("Device proposes cipher(s)"),
});
var dup94 = set_field({
dest: "nwparser.eventcategory",
value: constant("1805020000"),
});
var dup95 = set_field({
dest: "nwparser.eventcategory",
value: constant("1805000000"),
});
var dup96 = match({
id: "MESSAGE#143:109019/0",
dissect: {
tokenizer: "Downloaded ACL %{p0->}",
field: "nwparser.payload",
},
});
var dup97 = match({
id: "MESSAGE#143:109019/2",
dissect: {
tokenizer: "%{info->}",
field: "nwparser.p1",
},
});
var dup98 = set_field({
dest: "nwparser.eventcategory",
value: constant("1501040000"),
});
var dup99 = set_field({
dest: "nwparser.ec_activity",
value: constant("Deny"),
});
var dup100 = set_field({
dest: "nwparser.event_description",
value: constant("Authorization denied"),
});
var dup101 = set_field({
dest: "nwparser.eventcategory",
value: constant("1803010000"),
});
var dup102 = set_field({
dest: "nwparser.ec_theme",
value: constant("Communication"),
});
var dup103 = set_field({
dest: "nwparser.event_description",
value: constant("session limit exceeded"),
});
var dup104 = linear_select([
match({
id: "MESSAGE#170:111006/2",
dissect: {
tokenizer: "'%{username->}' at %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#170:111006/2",
dissect: {
tokenizer: "%{username->} at %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup105 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401050100"),
});
var dup106 = set_field({
dest: "nwparser.ec_activity",
value: constant("Logon"),
});
var dup107 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701030000"),
});
var dup108 = set_field({
dest: "nwparser.ec_activity",
value: constant("Delete"),
});
var dup109 = set_field({
dest: "nwparser.eventcategory",
value: constant("1103000000"),
});
var dup110 = set_field({
dest: "nwparser.event_description",
value: constant("No translation group found"),
});
var dup111 = set_field({
dest: "nwparser.protocol",
value: constant("icmp"),
});
var dup112 = set_field({
dest: "nwparser.event_description",
value: constant("Web Cache acquired"),
});
var dup113 = set_field({
dest: "nwparser.eventcategory",
value: constant("1002020000"),
});
var dup114 = match({
id: "MESSAGE#291:302012/0",
dissect: {
tokenizer: "%{->}Pre%{p0->}",
field: "nwparser.payload",
},
});
var dup115 = linear_select([
match({
id: "MESSAGE#291:302012/2",
dissect: {
tokenizer: "-%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup116 = set_field({
dest: "nwparser.event_description",
value: constant("Connection pre-allocated"),
});
var dup117 = linear_select([
match({
id: "MESSAGE#751:610101/2",
dissect: {
tokenizer: "ed%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#751:610101/2",
dissect: {
tokenizer: "ure%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup118 = match({
id: "MESSAGE#591:405102/0",
dissect: {
tokenizer: "Unable to Pre%{p0->}",
field: "nwparser.payload",
},
});
var dup119 = linear_select([
match({
id: "MESSAGE#591:405102/4",
dissect: {
tokenizer: "oreign_address%{p3->}",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#591:405102/4",
dissect: {
tokenizer: "addr%{p3->}",
field: "nwparser.p2",
},
}),
]);
var dup120 = match({
id: "MESSAGE#591:405102/4",
dissect: {
tokenizer: "%{->} %{p4->}",
field: "nwparser.p3",
},
});
var dup121 = linear_select([
match({
id: "MESSAGE#591:405102/6",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to l%{p5->}",
field: "nwparser.p4",
},
}),
match({
id: "MESSAGE#591:405102/6",
dissect: {
tokenizer: "%{saddr->} to l%{p5->}",
field: "nwparser.p4",
},
}),
]);
var dup122 = linear_select([
match({
id: "MESSAGE#591:405102/7",
dissect: {
tokenizer: "ocal_address%{p6->}",
field: "nwparser.p5",
},
}),
match({
id: "MESSAGE#591:405102/7",
dissect: {
tokenizer: "addr%{p6->}",
field: "nwparser.p5",
},
}),
]);
var dup123 = match({
id: "MESSAGE#591:405102/7",
dissect: {
tokenizer: "%{->} %{p7->}",
field: "nwparser.p6",
},
});
var dup124 = linear_select([
match({
id: "MESSAGE#591:405102/8",
dissect: {
tokenizer: "%{daddr->}/%{dport->} ",
field: "nwparser.p7",
},
}),
match({
id: "MESSAGE#591:405102/8",
dissect: {
tokenizer: "%{daddr->} ",
field: "nwparser.p7",
},
}),
]);
var dup125 = set_field({
dest: "nwparser.event_description",
value: constant("Unable to create new connection"),
});
var dup126 = set_field({
dest: "nwparser.eventcategory",
value: constant("1501000000"),
});
var dup127 = set_field({
dest: "nwparser.event_description",
value: constant("NAT configured"),
});
var dup128 = match({
id: "MESSAGE#712:602202:01/0",
dissect: {
tokenizer: "ISAKMP session connect%{p0->}",
field: "nwparser.payload",
},
});
var dup129 = linear_select([
match({
id: "MESSAGE#712:602202:01/2",
dissect: {
tokenizer: "ed%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup130 = match({
id: "MESSAGE#712:602202:01/2",
dissect: {
tokenizer: "%{->}(local %{daddr->} (responder), remote %{saddr->})",
field: "nwparser.p1",
},
});
var dup131 = set_field({
dest: "nwparser.event_description",
value: constant("ISAKMP session connected"),
});
var dup132 = match({
id: "MESSAGE#713:602202/2",
dissect: {
tokenizer: "%{->}(local %{saddr->} (initiator), remote %{daddr->})",
field: "nwparser.p1",
},
});
var dup133 = set_field({
dest: "nwparser.ec_subject",
value: constant("Message"),
});
var dup134 = set_field({
dest: "nwparser.ec_activity",
value: constant("Receive"),
});
var dup135 = linear_select([
match({
id: "MESSAGE#168:111004/2",
dissect: {
tokenizer: "Console end configuration: %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#168:111004/2",
dissect: {
tokenizer: "console end configuration: %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#168:111004/2",
dissect: {
tokenizer: "%{hostip->} end configuration: %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup136 = match({
id: "MESSAGE#168:111004/2",
dissect: {
tokenizer: "%{disposition->}",
field: "nwparser.p1",
},
});
var dup137 = set_field({
dest: "nwparser.ec_activity",
value: constant("Stop"),
});
var dup138 = match({
id: "MESSAGE#960:713903/2",
dissect: {
tokenizer: "%{saddr->} , %{action->}",
field: "nwparser.p1",
},
});
var dup139 = match({
id: "MESSAGE#961:713903:01/2",
dissect: {
tokenizer: "Username = '%{username->}' , IP = %{p1->}",
field: "nwparser.p0",
},
});
var dup140 = match({
id: "MESSAGE#961:713903:01/2",
dissect: {
tokenizer: "Username = %{username->} , IP = %{p1->}",
field: "nwparser.p0",
},
});
var dup141 = match({
id: "MESSAGE#963:713903:03/0",
dissect: {
tokenizer: "%{->} %{event_description->}",
field: "nwparser.payload",
},
});
var dup142 = set_field({
dest: "nwparser.eventcategory",
value: constant("1802000000"),
});
var dup143 = set_field({
dest: "nwparser.ec_activity",
value: constant("Logoff"),
});
var dup144 = set_field({
dest: "nwparser.result",
value: constant("Succeeded"),
});
var dup145 = constant("Failed");
var dup146 = match({
id: "MESSAGE#313:302016:05/0",
dissect: {
tokenizer: "Teardown %{protocol->} connection %{connectionid->} for %{sinterface->}:%{p0->}",
field: "nwparser.payload",
},
});
var dup147 = linear_select([
match({
id: "MESSAGE#313:302016:05/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld7->}) to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#313:302016:05/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup148 = call({
dest: "nwparser.duration",
fn: DUR,
args: [
constant("%N:%U:%O"),
field("duration"),
],
});
var dup149 = set_field({
dest: "nwparser.event_description",
value: constant("teardown connection"),
});
var dup150 = linear_select([
match({
id: "MESSAGE#314:302016:07/1",
dissect: {
tokenizer: "%{bytes->} (%{username->})",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#314:302016:07/1",
dissect: {
tokenizer: "%{bytes->}",
field: "nwparser.p0",
},
}),
]);
var dup151 = linear_select([
match({
id: "MESSAGE#316:302016:06/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#316:302016:06/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup152 = match({
id: "MESSAGE#316:302016:06/2",
dissect: {
tokenizer: "%{dinterface->}:%{p2->}",
field: "nwparser.p1",
},
});
var dup153 = match({
id: "MESSAGE#316:302016:06/4",
dissect: {
tokenizer: "%{daddr->}/%{dport->}(%{ddomain->}\\%{c_username->}) duration %{p3->}",
field: "nwparser.p2",
},
});
var dup154 = match({
id: "MESSAGE#317:302016/4",
dissect: {
tokenizer: "%{daddr->}/%{dport->} duration %{p3->}",
field: "nwparser.p2",
},
});
var dup155 = match({
id: "MESSAGE#318:302016:01/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->}(%{sdomain->}\\%{fld5->}) to %{p1->}",
field: "nwparser.p0",
},
});
var dup156 = match({
id: "MESSAGE#318:302016:01/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{p1->}",
field: "nwparser.p0",
},
});
var dup157 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701000000"),
});
var dup158 = match({
id: "MESSAGE#1165:722029/2",
dissect: {
tokenizer: "%{saddr->}> SVC Session Termination:%{info->}",
field: "nwparser.p1",
},
});
var dup159 = set_field({
dest: "nwparser.event_description",
value: constant("SVC Session Termination"),
});
var dup160 = set_field({
dest: "nwparser.eventcategory",
value: constant("1613030100"),
});
var dup161 = set_field({
dest: "nwparser.eventcategory",
value: constant("1702030000"),
});
var dup162 = match({
id: "MESSAGE#550:401002/0",
dissect: {
tokenizer: "%{->}Shun%{p0->}",
field: "nwparser.payload",
},
});
var dup163 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701010000"),
});
var dup164 = set_field({
dest: "nwparser.ec_activity",
value: constant("Create"),
});
var dup165 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603020000"),
});
var dup166 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701020000"),
});
var dup167 = set_field({
dest: "nwparser.disposition",
value: constant("Failed"),
});
var dup168 = match({
id: "MESSAGE#1184:724004/2",
dissect: {
tokenizer: "%{hostip->}> Secure Desktop Results: %{info->}",
field: "nwparser.p1",
},
});
var dup169 = set_field({
dest: "nwparser.eventcategory",
value: constant("1704010000"),
});
var dup170 = set_field({
dest: "nwparser.protocol",
value: constant("UDP"),
});
var dup171 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401030000"),
});
var dup172 = set_field({
dest: "nwparser.event_description",
value: constant("login session failure"),
});
var dup173 = match({
id: "MESSAGE#1024:715052/2",
dissect: {
tokenizer: "%{result->}",
field: "nwparser.p1",
},
});
var dup174 = match({
id: "MESSAGE#971:713905/2",
dissect: {
tokenizer: "%{saddr->}, %{event_description->}",
field: "nwparser.p1",
},
});
var dup175 = linear_select([
match({
id: "MESSAGE#972:713905:01/2",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#972:713905:01/2",
dissect: {
tokenizer: "IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup176 = match({
id: "MESSAGE#974:713905:03/0",
dissect: {
tokenizer: "Username = %{p0->}",
field: "nwparser.payload",
},
});
var dup177 = set_field({
dest: "nwparser.event_description",
value: constant("Embyonic connection limit exceeded"),
});
var dup178 = set_field({
dest: "nwparser.ec_outcome",
value: constant("Unknown"),
});
var dup179 = match({
id: "MESSAGE#150:109025/0",
dissect: {
tokenizer: "Authorization denied (acl=%{listnum->}) for user %{p0->}",
field: "nwparser.payload",
},
});
var dup180 = set_field({
dest: "nwparser.eventcategory",
value: constant("1803000000"),
});
var dup181 = match({
id: "MESSAGE#1172:722037/0",
dissect: {
tokenizer: "Group \u003c\u003c %{group->} > User %{p0->}",
field: "nwparser.payload",
},
});
var dup182 = linear_select([
match({
id: "MESSAGE#1172:722037/2",
dissect: {
tokenizer: "\u003c\u003c%{username->}> IP \u003c\u003c %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1172:722037/2",
dissect: {
tokenizer: "'%{username->}' IP \u003c\u003c %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1172:722037/2",
dissect: {
tokenizer: "%{username->} IP \u003c\u003c %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup183 = match({
id: "MESSAGE#475:338005/0",
dissect: {
tokenizer: "Dynamic %{p0->}",
field: "nwparser.payload",
},
});
var dup184 = linear_select([
match({
id: "MESSAGE#475:338005/2",
dissect: {
tokenizer: "F%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#475:338005/2",
dissect: {
tokenizer: "f%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup185 = set_field({
dest: "nwparser.event_description",
value: constant("translation creation failed"),
});
var dup186 = set_field({
dest: "nwparser.eventcategory",
value: constant("1608000000"),
});
var dup187 = linear_select([
match({
id: "MESSAGE#736:605004/1",
dissect: {
tokenizer: "\"%{username->}\" ",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#736:605004/1",
dissect: {
tokenizer: "'%{username->}' ",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#736:605004/1",
dissect: {
tokenizer: "%{username->} ",
field: "nwparser.p0",
},
}),
]);
var dup188 = constant("Login denied");
var dup189 = match({
id: "MESSAGE#1151:721016/0",
dissect: {
tokenizer: "(WebVPN-%{context->}) %{event_description->} user %{p0->}",
field: "nwparser.payload",
},
});
var dup190 = linear_select([
match({
id: "MESSAGE#1151:721016/2",
dissect: {
tokenizer: "'%{username->}' , IP %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1151:721016/2",
dissect: {
tokenizer: "%{username->} , IP %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup191 = set_field({
dest: "nwparser.result",
value: constant("Authorization denied"),
});
var dup192 = set_field({
dest: "nwparser.direction",
value: constant("inbound"),
});
var dup193 = set_field({
dest: "nwparser.event_description",
value: constant("build connection"),
});
var dup194 = set_field({
dest: "nwparser.direction",
value: constant("outbound"),
});
var dup195 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603050000"),
});
var dup196 = set_field({
dest: "nwparser.event_description",
value: constant("connection denied"),
});
var dup197 = linear_select([
match({
id: "MESSAGE#104:106102:02/2",
dissect: {
tokenizer: "%{protocol->} for user '%{username->}' %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#104:106102:02/2",
dissect: {
tokenizer: "%{protocol->} %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup198 = match({
id: "MESSAGE#104:106102:02/2",
dissect: {
tokenizer: "%{sinterface->}/%{p2->}",
field: "nwparser.p1",
},
});
var dup199 = linear_select([
match({
id: "MESSAGE#104:106102:02/4",
dissect: {
tokenizer: "%{saddr->}(%{sport->}) -> %{p3->}",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#104:106102:02/4",
dissect: {
tokenizer: "%{saddr->} %{sport->} %{p3->}",
field: "nwparser.p2",
},
}),
]);
var dup200 = match({
id: "MESSAGE#104:106102:02/4",
dissect: {
tokenizer: "%{dinterface->}/%{p4->}",
field: "nwparser.p3",
},
});
var dup201 = linear_select([
match({
id: "MESSAGE#104:106102:02/6",
dissect: {
tokenizer: "%{daddr->}(%{dport->}) hit-cnt %{p5->}",
field: "nwparser.p4",
},
}),
match({
id: "MESSAGE#104:106102:02/6",
dissect: {
tokenizer: "%{daddr->} %{dport->} hit-cnt %{p5->}",
field: "nwparser.p4",
},
}),
]);
var dup202 = match({
id: "MESSAGE#104:106102:02/6",
dissect: {
tokenizer: "%{dclass_counter1->} %{info->}",
field: "nwparser.p5",
},
});
var dup203 = set_field({
dest: "nwparser.dclass_counter1_string",
value: constant("HitCount"),
});
var dup204 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801020000"),
});
var dup205 = set_field({
dest: "nwparser.result",
value: constant("Freeing local pool address"),
});
var dup206 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001030305"),
});
var dup207 = set_field({
dest: "nwparser.eventcategory",
value: constant("1606000000"),
});
var dup208 = match({
id: "MESSAGE#1037:715065/2",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
});
var dup209 = match({
id: "MESSAGE#1037:715065/2",
dissect: {
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
});
var dup210 = match({
id: "MESSAGE#1037:715065/2",
dissect: {
tokenizer: "IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
});
var dup211 = match({
id: "MESSAGE#1216:734003:01/0",
dissect: {
tokenizer: "%{process->}: User %{p0->}",
field: "nwparser.payload",
},
});
var dup212 = linear_select([
match({
id: "MESSAGE#1216:734003:01/2",
dissect: {
tokenizer: "'%{username->}' , Addr %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1216:734003:01/2",
dissect: {
tokenizer: "%{username->} , Addr %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup213 = match({
id: "MESSAGE#474:338004/2",
dissect: {
tokenizer: "ilter %{p2->}",
field: "nwparser.p1",
},
});
var dup214 = linear_select([
match({
id: "MESSAGE#474:338004/4",
dissect: {
tokenizer: "permitt%{p3->}",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#474:338004/4",
dissect: {
tokenizer: "monitor%{p3->}",
field: "nwparser.p2",
},
}),
]);
var dup215 = linear_select([
match({
id: "MESSAGE#681:502102/2",
dissect: {
tokenizer: "'%{username->}' Priv: %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#681:502102/2",
dissect: {
tokenizer: "%{username->} Priv: %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup216 = match({
id: "MESSAGE#681:502102/2",
dissect: {
tokenizer: "%{fld1->} Encpass: %{fld2->}",
field: "nwparser.p1",
},
});
var dup217 = set_field({
dest: "nwparser.ec_theme",
value: constant("UserGroup"),
});
var dup218 = match({
id: "MESSAGE#706:602101/2",
dissect: {
tokenizer: "s%{p1->}",
field: "nwparser.p0",
},
});
var dup219 = match({
id: "MESSAGE#293:302013/0",
dissect: {
tokenizer: "Built inbound %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{p0->}",
field: "nwparser.payload",
},
});
var dup220 = linear_select([
match({
id: "MESSAGE#293:302013/2",
dissect: {
tokenizer: "%{stransport->})(%{domain->}\\%{fld3->})%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#293:302013/2",
dissect: {
tokenizer: "%{stransport->}) %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup221 = match({
id: "MESSAGE#294:302013:01/0",
dissect: {
tokenizer: "Built outbound %{protocol->} connection %{connectionid->} for %{dinterface->}:%{daddr->}/%{dport->} (%{dtransaddr->}/%{dtransport->}) to %{sinterface->}:%{saddr->}/%{sport->} (%{stransaddr->}/%{stransport->}) %{p0->}",
field: "nwparser.payload",
},
});
var dup222 = linear_select([
match({
id: "MESSAGE#294:302013:01/2",
dissect: {
tokenizer: "'%{username->}'%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#294:302013:01/2",
dissect: {
tokenizer: "(%{username->})%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup223 = match({
id: "MESSAGE#294:302013:01/2",
dissect: {
tokenizer: "%{->} ",
field: "nwparser.p1",
},
});
var dup224 = match({
id: "MESSAGE#295:302013:02/2",
dissect: {
tokenizer: "%{stransport->}) %{p1->}",
field: "nwparser.p0",
},
});
var dup225 = match({
id: "MESSAGE#299:302013:06/2",
dissect: {
tokenizer: "%{dtransaddr->}/%{dtransport->})(%{domain->}\\%{username->}) to %{p1->}",
field: "nwparser.p0",
},
});
var dup226 = match({
id: "MESSAGE#299:302013:06/2",
dissect: {
tokenizer: "%{dtransaddr->}/%{dtransport->}) to %{p1->}",
field: "nwparser.p0",
},
});
var dup227 = linear_select([
match({
id: "MESSAGE#299:302013:06/3",
dissect: {
tokenizer: "%{sinterface->}:%{fld2->}:%{saddr->}/%{p2->}",
field: "nwparser.p1",
},
}),
match({
id: "MESSAGE#299:302013:06/3",
dissect: {
tokenizer: "%{sinterface->}:%{saddr->}/%{p2->}",
field: "nwparser.p1",
},
}),
]);
var dup228 = match({
id: "MESSAGE#299:302013:06/3",
dissect: {
tokenizer: "%{sport->} (%{stransaddr->}/%{stransport->})",
field: "nwparser.p2",
},
});
var dup229 = set_field({
dest: "nwparser.eventcategory",
value: constant("1805010000"),
});
var dup230 = match({
id: "MESSAGE#484:338202/2",
dissect: {
tokenizer: "ilter %{p2->}",
field: "nwparser.p1",
},
});
var dup231 = set_field({
dest: "nwparser.event_description",
value: constant("IKE lost contact with remote peer deleting connection"),
});
var dup232 = set_field({
dest: "nwparser.event_description",
value: constant("IKE Initiator New/Rekeying Phase"),
});
var dup233 = set_field({
dest: "nwparser.result",
value: constant("Local pool request succeeded "),
});
var dup234 = set_field({
dest: "nwparser.event_description",
value: constant("Built translation"),
});
var dup235 = linear_select([
match({
id: "MESSAGE#726:603107/2",
dissect: {
tokenizer: ",%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup236 = match({
id: "MESSAGE#152:109027/2",
dissect: {
tokenizer: "i%{p1->}",
field: "nwparser.p0",
},
});
var dup237 = linear_select([
match({
id: "MESSAGE#152:109027/3",
dissect: {
tokenizer: "'%{username->}' ",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#152:109027/3",
dissect: {
tokenizer: "%{username->} ",
field: "nwparser.p2",
},
}),
]);
var dup238 = linear_select([
match({
id: "MESSAGE#189:113012/1",
dissect: {
tokenizer: "'%{username->}' ",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#189:113012/1",
dissect: {
tokenizer: "%{username->} ",
field: "nwparser.p0",
},
}),
]);
var dup239 = set_field({
dest: "nwparser.eventcategory",
value: constant("1001030200"),
});
var dup240 = set_field({
dest: "nwparser.event_description",
value: constant("FTP connection terminated"),
});
var dup241 = match({
id: "MESSAGE#1031:715059/2",
dissect: {
tokenizer: "%{saddr->}, %{action->}",
field: "nwparser.p1",
},
});
var dup242 = linear_select([
match({
id: "MESSAGE#855:713024/2",
dissect: {
tokenizer: "%{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#855:713024/2",
dissect: {
tokenizer: "%{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#855:713024/2",
dissect: {
tokenizer: "%{group->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup243 = match({
id: "MESSAGE#855:713024/2",
dissect: {
tokenizer: "%{action->}:%{info->}",
field: "nwparser.p1",
},
});
var dup244 = set_field({
dest: "nwparser.eventcategory",
value: constant("1613040200"),
});
var dup245 = set_field({
dest: "nwparser.event_description",
value: constant("Rekeying duration changed"),
});
var dup246 = match({
id: "MESSAGE#810:702204:01/0",
dissect: {
tokenizer: "ISAKMP Phase 1 retransmi%{p0->}",
field: "nwparser.payload",
},
});
var dup247 = linear_select([
match({
id: "MESSAGE#810:702204:01/2",
dissect: {
tokenizer: "ssion%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#810:702204:01/2",
dissect: {
tokenizer: "t%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup248 = set_field({
dest: "nwparser.event_description",
value: constant("Phase 1 retransmission"),
});
var dup249 = match({
id: "MESSAGE#1187:725002/2",
dissect: {
tokenizer: "%{->} %{interface->}:%{p2->}",
field: "nwparser.p1",
},
});
var dup250 = set_field({
dest: "nwparser.eventcategory",
value: constant("1613050100"),
});
var dup251 = linear_select([
match({
id: "MESSAGE#219:201004:01/2",
dissect: {
tokenizer: "static%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#219:201004:01/2",
dissect: {
tokenizer: "xlate%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup252 = set_field({
dest: "nwparser.event_description",
value: constant("Login session failed"),
});
var dup253 = set_field({
dest: "nwparser.event_description",
value: constant("User Authentication failed"),
});
var dup254 = linear_select([
]);
var dup255 = match({
id: "MESSAGE#1198:725010/2",
dissect: {
tokenizer: ".%{->}",
field: "nwparser.p1",
},
});
var dup256 = set_field({
dest: "nwparser.eventcategory",
value: constant("1207010200"),
});
var dup257 = set_field({
dest: "nwparser.event_description",
value: constant("icmp packet denied"),
});
var dup258 = set_field({
dest: "nwparser.result",
value: constant("to/from mangement-only network"),
});
var dup259 = set_field({
dest: "nwparser.protocol",
value: constant("ICMP"),
});
var dup260 = match({
id: "MESSAGE#651:418001:01/2",
dissect: {
tokenizer: "%{dinterface->}:%{daddr->}/%{dport->}",
field: "nwparser.p1",
},
});
var dup261 = set_field({
dest: "nwparser.event_description",
value: constant("packet denied"),
});
var dup262 = match({
id: "MESSAGE#174:111010/0",
dissect: {
tokenizer: "User %{p0->}",
field: "nwparser.payload",
},
});
var dup263 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401040000"),
});
var dup264 = set_field({
dest: "nwparser.eventcategory",
value: constant("1605010000"),
});
var dup265 = linear_select([
match({
id: "MESSAGE#1243:737017/2",
dissect: {
tokenizer: "Session=%{sessionid->},%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup266 = linear_select([
match({
id: "MESSAGE#625:411005/2",
dissect: {
tokenizer: "I%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#625:411005/2",
dissect: {
tokenizer: "i%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup267 = linear_select([
match({
id: "MESSAGE#1163:722027/3",
dissect: {
tokenizer: "%{saddr->} (%{fld1->}) > %{p2->}",
field: "nwparser.p1",
},
}),
match({
id: "MESSAGE#1163:722027/3",
dissect: {
tokenizer: "%{saddr->} > %{p2->}",
field: "nwparser.p1",
},
}),
]);
var dup268 = linear_select([
match({
id: "MESSAGE#1163:722027/4",
dissect: {
tokenizer: "TCP %{p3->}",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#1163:722027/4",
dissect: {
tokenizer: "UDP %{p3->}",
field: "nwparser.p2",
},
}),
]);
var dup269 = set_field({
dest: "nwparser.event_description",
value: constant("Policy installed"),
});
var dup270 = linear_select([
match({
id: "MESSAGE#1161:722023/6",
dissect: {
tokenizer: "out%{p5->}",
field: "nwparser.p4",
},
}),
]);
var dup271 = set_field({
dest: "nwparser.event_description",
value: constant("request discarded"),
});
var dup272 = set_field({
dest: "nwparser.eventcategory",
value: constant("1610000000"),
});
var dup273 = linear_select([
match({
id: "MESSAGE#1001:715021/2",
dissect: {
tokenizer: "Username = '%{username->}', IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1001:715021/2",
dissect: {
tokenizer: "Username = %{username->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1001:715021/2",
dissect: {
tokenizer: "IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup274 = linear_select([
match({
id: "MESSAGE#96:106027/1",
dissect: {
tokenizer: "\"%{rule_group->}\" ",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#96:106027/1",
dissect: {
tokenizer: "%{rule_group->} ",
field: "nwparser.p0",
},
}),
]);
var dup275 = set_field({
dest: "nwparser.event_description",
value: constant("denied by access-group"),
});
var dup276 = match({
id: "MESSAGE#385:305013/2",
dissect: {
tokenizer: "%{sport->}(%{domain->}\\%{username->}) dst %{p1->}",
field: "nwparser.p0",
},
});
var dup277 = match({
id: "MESSAGE#385:305013/2",
dissect: {
tokenizer: "%{sport->} dst %{p1->}",
field: "nwparser.p0",
},
});
var dup278 = set_field({
dest: "nwparser.result",
value: constant("due to NAT reverse path failure"),
});
var dup279 = linear_select([
match({
id: "MESSAGE#552:401004/2",
dissect: {
tokenizer: "ned%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup280 = linear_select([
match({
id: "MESSAGE#989:714011/2",
dissect: {
tokenizer: "Group = %{group->}, Username = '%{username->}', IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#989:714011/2",
dissect: {
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#989:714011/2",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#989:714011/2",
dissect: {
tokenizer: "IP = %{saddr->} , %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup281 = match({
id: "MESSAGE#302:302014:03/3",
dissect: {
tokenizer: "%{->} %{result->}",
field: "nwparser.p2",
},
});
var dup282 = match({
id: "MESSAGE#303:302014:02/1",
dissect: {
tokenizer: "(%{result->}) ",
field: "nwparser.p0",
},
});
var dup283 = match({
id: "MESSAGE#304:302014:04/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->}(%{domain->}\\%{fld3->}) to %{p1->}",
field: "nwparser.p0",
},
});
var dup284 = linear_select([
match({
id: "MESSAGE#304:302014:04/3",
dissect: {
tokenizer: "%{info->} (%{username->})",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#304:302014:04/3",
dissect: {
tokenizer: "%{info->}",
field: "nwparser.p2",
},
}),
]);
var dup285 = match({
id: "MESSAGE#307:302014:01/1",
dissect: {
tokenizer: "%{result->} ",
field: "nwparser.p0",
},
});
var dup286 = set_field({
dest: "nwparser.event_description",
value: constant("NAT exemption configured"),
});
var dup287 = match({
id: "MESSAGE#824:702211:01/0",
dissect: {
tokenizer: "ISAKMP Phase 2 exchange complete%{p0->}",
field: "nwparser.payload",
},
});
var dup288 = match({
id: "MESSAGE#824:702211:01/2",
dissect: {
tokenizer: "%{->} %{saddr->} (initiator), remote %{daddr->})",
field: "nwparser.p1",
},
});
var dup289 = set_field({
dest: "nwparser.event_description",
value: constant("Phase 1 exchange completed"),
});
var dup290 = match({
id: "MESSAGE#825:702211/2",
dissect: {
tokenizer: "%{->} %{daddr->} (responder), remote %{saddr->})",
field: "nwparser.p1",
},
});
var dup291 = set_field({
dest: "nwparser.event_description",
value: constant("authentication failed"),
});
var dup292 = set_field({
dest: "nwparser.eventcategory",
value: constant("1302000000"),
});
var dup293 = set_field({
dest: "nwparser.ec_subject",
value: constant("Certificate"),
});
var dup294 = set_field({
dest: "nwparser.event_description",
value: constant("connection dropped"),
});
var dup295 = set_field({
dest: "nwparser.event_description",
value: constant("teardown translation"),
});
var dup296 = linear_select([
match({
id: "MESSAGE#383:305012/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->}(%{fld51->}) to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#383:305012/2",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup297 = linear_select([
match({
id: "MESSAGE#384:305012:01/2",
dissect: {
tokenizer: "%{dinterface->}(%{fld52->}):%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#384:305012:01/2",
dissect: {
tokenizer: "%{dinterface->}:%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup298 = match({
id: "MESSAGE#629:413003/2",
dissect: {
tokenizer: ".%{p1->}",
field: "nwparser.p0",
},
});
var dup299 = set_field({
dest: "nwparser.event_description",
value: constant("IPS request to drop packet"),
});
var dup300 = match({
id: "MESSAGE#860:713035/2",
dissect: {
tokenizer: "%{saddr->} , %{action->}:%{info->}",
field: "nwparser.p1",
},
});
var dup301 = constant("Routing failed to locate next-hop");
var dup302 = set_field({
dest: "nwparser.disposition",
value: constant("failed"),
});
var dup303 = match({
id: "MESSAGE#1016:715046:01/1",
dissect: {
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}",
field: "nwparser.payload",
},
});
var dup304 = match({
id: "MESSAGE#1016:715046:01/1",
dissect: {
tokenizer: "%{event_description->}",
field: "nwparser.p0",
},
});
var dup305 = linear_select([
match({
id: "MESSAGE#1021:715049:01/1",
dissect: {
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}",
field: "nwparser.payload",
},
}),
match({
id: "MESSAGE#1021:715049:01/1",
dissect: {
tokenizer: "Username = %{username->}, IP = %{saddr->}, %{p0->}",
field: "nwparser.payload",
},
}),
]);
var dup306 = set_field({
dest: "nwparser.event_description",
value: constant("Teardown connection"),
});
var dup307 = match({
id: "MESSAGE#340:302026/0",
dissect: {
tokenizer: "Built %{p0->}",
field: "nwparser.payload",
},
});
var dup308 = match({
id: "MESSAGE#340:302026/2",
dissect: {
tokenizer: "backup%{p1->}",
field: "nwparser.p0",
},
});
var dup309 = match({
id: "MESSAGE#340:302026/2",
dissect: {
tokenizer: "director%{p1->}",
field: "nwparser.p0",
},
});
var dup310 = match({
id: "MESSAGE#340:302026/2",
dissect: {
tokenizer: "%{->}stub %{protocol->} connection %{connectionid->} for %{sinterface->}:%{saddr->}/%{sport->} (%{fld1->}) to %{dinterface->}:%{daddr->}/%{dport->} (%{fld2->})",
field: "nwparser.p1",
},
});
var dup311 = set_field({
dest: "nwparser.event_description",
value: constant("Built connection"),
});
var dup312 = match({
id: "MESSAGE#559:402116/0",
dissect: {
tokenizer: "IPSEC: Received an ESP packet (SPI= %{dst_spi->}, sequence number= %{fld2->}) from %{saddr->} %{p0->}",
field: "nwparser.payload",
},
});
var dup313 = linear_select([
match({
id: "MESSAGE#559:402116/2",
dissect: {
tokenizer: "(user=%{username->}) to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#559:402116/2",
dissect: {
tokenizer: "(%{username->}) to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#559:402116/2",
dissect: {
tokenizer: "'%{username->}' to %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#559:402116/2",
dissect: {
tokenizer: "%{username->} to %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup314 = match({
id: "MESSAGE#381:305011:01/2",
dissect: {
tokenizer: "%{daddr->}/%{dport->}",
field: "nwparser.p1",
},
});
var dup315 = linear_select([
match({
id: "MESSAGE#684:502112/2",
dissect: {
tokenizer: "'%{username->}' Type:%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#684:502112/2",
dissect: {
tokenizer: "%{username->} Type:%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup316 = match({
id: "MESSAGE#684:502112/2",
dissect: {
tokenizer: "%{fld1->}",
field: "nwparser.p1",
},
});
var dup317 = set_field({
dest: "nwparser.result",
value: constant("User authentication succeeded"),
});
var dup318 = set_field({
dest: "nwparser.event_description",
value: constant("SSL server requesting certificate for authentication"),
});
var dup319 = call({
dest: "nwparser.bytes",
fn: CALC,
args: [
field("sbytes"),
constant("+"),
field("rbytes"),
],
});
var dup320 = set_field({
dest: "nwparser.ec_theme",
value: constant("TEV"),
});
var dup321 = match({
id: "MESSAGE#419:315011/0",
dissect: {
tokenizer: "SSH session from %{saddr->} on interface %{interface->} for user %{p0->}",
field: "nwparser.payload",
},
});
var dup322 = match({
id: "MESSAGE#622:411002/2",
dissect: {
tokenizer: "nterface %{interface->} %{p2->}",
field: "nwparser.p1",
},
});
var dup323 = linear_select([
match({
id: "MESSAGE#622:411002/3",
dissect: {
tokenizer: ", %{result->} ",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#622:411002/3",
dissect: {
tokenizer: "%{result->} ",
field: "nwparser.p2",
},
}),
]);
var dup324 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603030000"),
});
var dup325 = set_field({
dest: "nwparser.event_description",
value: constant("Denied IPv6-ICMP"),
});
var dup326 = set_field({
dest: "nwparser.eventcategory",
value: constant("1604010000"),
});
var dup327 = set_field({
dest: "nwparser.ec_activity",
value: constant("Read"),
});
var dup328 = set_field({
dest: "nwparser.event_description",
value: constant("Device chooses cipher for the SSL session"),
});
var dup329 = match({
id: "MESSAGE#870:713218/2",
dissect: {
tokenizer: "%{saddr->}, Tunnel Rejected: %{action->}",
field: "nwparser.p1",
},
});
var dup330 = set_field({
dest: "nwparser.result",
value: constant("Tunnel Rejected"),
});
var dup331 = set_field({
dest: "nwparser.eventcategory",
value: constant("1901000000"),
});
var dup332 = set_field({
dest: "nwparser.id",
value: field("p_msgid"),
});
var dup333 = set_field({
dest: "nwparser.msg_id",
value: field("p_msgid"),
});
var dup334 = set_field({
dest: "nwparser.vid",
value: field("p_msgid"),
});
var dup335 = set_field({
dest: "nwparser.event_description",
value: constant("IKEGetUserAttributes"),
});
var dup336 = set_field({
dest: "nwparser.event_description",
value: constant("Invalid destination"),
});
var dup337 = set_field({
dest: "nwparser.result",
value: constant("all servers failed"),
});
var dup338 = set_field({
dest: "nwparser.eventcategory",
value: constant("1607000000"),
});
var dup339 = match({
id: "MESSAGE#975:713906:01/0",
dissect: {
tokenizer: "Group = %{group->}, Username = %{username->}, IP = %{saddr->}, %{p0->}",
field: "nwparser.payload",
},
});
var dup340 = match({
id: "MESSAGE#975:713906:01/1",
dissect: {
tokenizer: "%{event_description->} Proxy Id:%{fld1->} Remote host: %{hostname->} Protocol %{protocol->} Port %{port->} Local subnet: %{fld2->} mask %{mask->} Protocol %{fld3->} Port %{fld4->} ",
field: "nwparser.p0",
},
});
var dup341 = match({
id: "MESSAGE#976:713906:03/0",
dissect: {
tokenizer: "Group = %{group->}, IP = %{saddr->}, %{p0->}",
field: "nwparser.payload",
},
});
var dup342 = match({
id: "MESSAGE#977:713906/0",
dissect: {
tokenizer: "IP = %{saddr->},%{p0->}",
field: "nwparser.payload",
},
});
var dup343 = linear_select([
match({
id: "MESSAGE#191:113014/2",
dissect: {
tokenizer: "entic%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#191:113014/2",
dissect: {
tokenizer: "oriz%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup344 = match({
id: "MESSAGE#797:620001:01/2",
dissect: {
tokenizer: "C%{p1->}",
field: "nwparser.p0",
},
});
var dup345 = linear_select([
match({
id: "MESSAGE#797:620001:01/4",
dissect: {
tokenizer: "%{saddr->}/%{sport->} to %{p3->}",
field: "nwparser.p2",
},
}),
match({
id: "MESSAGE#797:620001:01/4",
dissect: {
tokenizer: "%{saddr->} to %{p3->}",
field: "nwparser.p2",
},
}),
]);
var dup346 = match({
id: "MESSAGE#797:620001:01/4",
dissect: {
tokenizer: "%{dinterface->}: %{p4->}",
field: "nwparser.p3",
},
});
var dup347 = set_field({
dest: "nwparser.event_description",
value: constant("Pre-allocate connection"),
});
var dup348 = match({
id: "MESSAGE#325:302020/3",
dissect: {
tokenizer: "%{hostip->} laddr %{p2->}",
field: "nwparser.p1",
},
});
var dup349 = match({
id: "MESSAGE#326:302020:04/1",
dissect: {
tokenizer: "%{sport->} type %{icmptype->} code %{icmpcode->}",
field: "nwparser.p0",
},
});
var dup350 = match({
id: "MESSAGE#326:302020:04/1",
dissect: {
tokenizer: "%{sport->}",
field: "nwparser.p0",
},
});
var dup351 = set_field({
dest: "nwparser.eventcategory",
value: constant("1611000000"),
});
var dup352 = match({
id: "MESSAGE#1153:722001/0",
dissect: {
tokenizer: "IP %{p0->}",
field: "nwparser.payload",
},
});
var dup353 = linear_select([
match({
id: "MESSAGE#1153:722001/2",
dissect: {
tokenizer: "%{saddr->} (%{fld1->}) %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#1153:722001/2",
dissect: {
tokenizer: "%{saddr->} %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup354 = match({
id: "MESSAGE#1153:722001/2",
dissect: {
tokenizer: "%{event_description->}.",
field: "nwparser.p1",
},
});
var dup355 = set_field({
dest: "nwparser.eventcategory",
value: constant("1601010000"),
});
var dup356 = set_field({
dest: "nwparser.result",
value: constant("hardware accelerator error"),
});
var dup357 = match({
id: "MESSAGE#59:106002/0",
dissect: {
tokenizer: "%{protocol->} %{p0->}",
field: "nwparser.payload",
},
});
var dup358 = linear_select([
match({
id: "MESSAGE#59:106002/2",
dissect: {
tokenizer: "C%{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#59:106002/2",
dissect: {
tokenizer: "c%{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup359 = set_field({
dest: "nwparser.eventcategory",
value: constant("1803020000"),
});
var dup360 = match({
id: "MESSAGE#814:702206:01/0",
dissect: {
tokenizer: "ISAKMP malform%{p0->}",
field: "nwparser.payload",
},
});
var dup361 = set_field({
dest: "nwparser.event_description",
value: constant("malformed payload received"),
});
var dup362 = set_field({
dest: "nwparser.event_description",
value: constant("User executed command"),
});
var dup363 = set_field({
dest: "nwparser.event_description",
value: constant("Testing Interface"),
});
var dup364 = set_field({
dest: "nwparser.protocol",
value: constant("TCP"),
});
var dup365 = linear_select([
match({
id: "MESSAGE#867:713050/2",
dissect: {
tokenizer: "%{group->}, Username = '%{username->}' , IP = %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#867:713050/2",
dissect: {
tokenizer: "%{group->}, Username = %{username->} , IP = %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#867:713050/2",
dissect: {
tokenizer: "%{group->} , IP = %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup366 = match({
id: "MESSAGE#346:303002:02/2",
dissect: {
tokenizer: "'%{username->}' %{p1->}",
field: "nwparser.p0",
},
});
var dup367 = match({
id: "MESSAGE#346:303002:02/2",
dissect: {
tokenizer: "%{username->} %{p1->}",
field: "nwparser.p0",
},
});
var dup368 = match({
id: "MESSAGE#489:338303/2",
dissect: {
tokenizer: ",%{p1->}",
field: "nwparser.p0",
},
});
var dup369 = linear_select([
match({
id: "MESSAGE#331:302021/2",
dissect: {
tokenizer: "%{hostip->}/%{fld4->} laddr %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#331:302021/2",
dissect: {
tokenizer: "%{hostip->} laddr %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup370 = linear_select([
match({
id: "MESSAGE#331:302021/2",
dissect: {
tokenizer: "%{daddr->}/%{dport->}(%{username->})",
field: "nwparser.p1",
},
}),
match({
id: "MESSAGE#331:302021/2",
dissect: {
tokenizer: "%{daddr->}/%{dport->} %{username->}",
field: "nwparser.p1",
},
}),
match({
id: "MESSAGE#331:302021/2",
dissect: {
tokenizer: "%{daddr->}/%{dport->}",
field: "nwparser.p1",
},
}),
]);
var dup371 = set_field({
dest: "nwparser.event_description",
value: constant("denied by access-list"),
});
var dup372 = set_field({
dest: "nwparser.event_description",
value: constant("Session terminated"),
});
var dup373 = linear_select([
match({
id: "MESSAGE#133:109012/2",
dissect: {
tokenizer: "'%{username->}' , sid %{p1->}",
field: "nwparser.p0",
},
}),
match({
id: "MESSAGE#133:109012/2",
dissect: {
tokenizer: "%{username->} , sid %{p1->}",
field: "nwparser.p0",
},
}),
]);
var dup374 = match({
id: "MESSAGE#822:702210:01/0",
dissect: {
tokenizer: "ISAKMP Phase 1 exchange complete%{p0->}",
field: "nwparser.payload",
},
});
var dup375 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701070000"),
});
var dup376 = set_field({
dest: "nwparser.ec_activity",
value: constant("Disable"),
});
var dup377 = match({
id: "MESSAGE#617:410001/0",