colin-stubbs/pan_rsyslog_rb.py

## pan_rsyslog_rb.py
THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name",
"category","severity","direction","sequence_number","action_flags","src_location","dest_location",
"future_use4","content_type"]

THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"]

THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"]

THREAT_FIELDS_7_1 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name","device_name","future_use6"]

THREAT_FIELDS_8_1 = THREAT_FIELDS_7_1 + ["source_vm_uuid", "destination_vm_uuid", "http_method", "tunnel_id_imsi", "monitor_tag_imei", "parent_session_id", "parent_start_time", "tunnel_type", "threat_category", "content_version", "future_use", "sctp_association_id", "payload_protocol_id", "http_headers"]

THREAT_FIELDS_9_0 = THREAT_FIELDS_8_1 + ["url_category_list", "uuid_for_rule", "http2_connection"]

THREAT_FIELDS_9_1 = THREAT_FIELDS_9_0 + ["dynamic_user_group_name"]

TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in",
"packets","start_time","duration","category","future_use4","sequence_number","action_flags",
"src_location","dest_location","future_use5","packets_out","packets_in"]

TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"]

TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"]

TRAFFIC_FIELDS_8_1 = TRAFFIC_FIELDS_7_0 + ["source_vm_uuid", "destination_vm_uuid", "tunnel_id_imsi", "monitor_tag_imei", "parent_session_id", "parent_start_time", "tunnel_type", "sctp_association_id", "sctp_chunks", "sctp_chunks_sent", "sctp_chunks_received"]

TRAFFIC_FIELDS_9_0 = TRAFFIC_FIELDS_8_1 + ["uuid_for_rule", "http2_connection"]

TRAFFIC_FIELDS_9_1 = TRAFFIC_FIELDS_9_0 + ["link_change_count", "policy_id", "link_switches", "sdwan_cluster", "sdwan_device_type", "sdwan_site", "dynamic_user_group_name"]

print '# TRAFFIC rules'
for gkey, gvalue in globals().items():
    if gkey.startswith('TRAFFIC'):
        print
        rule = []
        for f in gvalue:
            if f.startswith('@'):
                rule.append('{}'.format(f[1:]))
            else:
                rule.append('%%%s:char-sep:\\x09%%' % f)

        print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule)

print

print '# THREAT rules'
for gkey, gvalue in globals().items():
    if gkey.startswith('THREAT'):
        print
        rule = []
        for f in gvalue:
            if f.startswith('@'):
                rule.append('{}'.format(f[1:]))
            else:
                rule.append('%%%s:char-sep:\\x09%%' % f)

        print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule)

print

print 'annotate=TRAFFIC:+type="TRAFFIC"'
print 'annotate=THREAT:+type="THREAT"'
	THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2",
	"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
	"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
	"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
	"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name",
	"category","severity","direction","sequence_number","action_flags","src_location","dest_location",
	"future_use4","content_type"]

	THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"]

	THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"]

	THREAT_FIELDS_7_1 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name","device_name","future_use6"]

	THREAT_FIELDS_8_1 = THREAT_FIELDS_7_1 + ["source_vm_uuid", "destination_vm_uuid", "http_method", "tunnel_id_imsi", "monitor_tag_imei", "parent_session_id", "parent_start_time", "tunnel_type", "threat_category", "content_version", "future_use", "sctp_association_id", "payload_protocol_id", "http_headers"]

	THREAT_FIELDS_9_0 = THREAT_FIELDS_8_1 + ["url_category_list", "uuid_for_rule", "http2_connection"]

	THREAT_FIELDS_9_1 = THREAT_FIELDS_9_0 + ["dynamic_user_group_name"]

	TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2",
	"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
	"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
	"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
	"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in",
	"packets","start_time","duration","category","future_use4","sequence_number","action_flags",
	"src_location","dest_location","future_use5","packets_out","packets_in"]

	TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"]

	TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"]

	TRAFFIC_FIELDS_8_1 = TRAFFIC_FIELDS_7_0 + ["source_vm_uuid", "destination_vm_uuid", "tunnel_id_imsi", "monitor_tag_imei", "parent_session_id", "parent_start_time", "tunnel_type", "sctp_association_id", "sctp_chunks", "sctp_chunks_sent", "sctp_chunks_received"]

	TRAFFIC_FIELDS_9_0 = TRAFFIC_FIELDS_8_1 + ["uuid_for_rule", "http2_connection"]

	TRAFFIC_FIELDS_9_1 = TRAFFIC_FIELDS_9_0 + ["link_change_count", "policy_id", "link_switches", "sdwan_cluster", "sdwan_device_type", "sdwan_site", "dynamic_user_group_name"]

	print '# TRAFFIC rules'
	for gkey, gvalue in globals().items():
	if gkey.startswith('TRAFFIC'):
	print
	rule = []
	for f in gvalue:
	if f.startswith('@'):
	rule.append('{}'.format(f[1:]))
	else:
	rule.append('%%%s:char-sep:\\x09%%' % f)

	print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule)

	print

	print '# THREAT rules'
	for gkey, gvalue in globals().items():
	if gkey.startswith('THREAT'):
	print
	rule = []
	for f in gvalue:
	if f.startswith('@'):
	rule.append('{}'.format(f[1:]))
	else:
	rule.append('%%%s:char-sep:\\x09%%' % f)

	print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule)

	print

	print 'annotate=TRAFFIC:+type="TRAFFIC"'
	print 'annotate=THREAT:+type="THREAT"'