jtschichold/pan_rsyslog_rb.py

## pan_rsyslog_rb.py
THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name",
"category","severity","direction","sequence_number","action_flags","src_location","dest_location",
"future_use4","content_type"]

THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"]

THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"]

THREAT_FIELDS_7_0 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name"
,"device_name","file_url"]

THREAT_FIELDS_8_0 = THREAT_FIELDS_7_0 + ["8_0_unknown_1","8_0_unknown_2","8_0_unknown_3",
"8_0_unknown_4","8_0_unknown_5","8_0_unknown_6","8_0_unknown_7","8_0_unknown_8","8_0_unknown_9","8_0_unknown_10","8_0_unknown_11"]

TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in",
"packets","start_time","duration","category","future_use4","sequence_number","action_flags",
"src_location","dest_location","future_use5","packets_out","packets_in"]

TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"]

TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"]

print '# TRAFFIC rules'
for gkey, gvalue in globals().items():
    if gkey.startswith('TRAFFIC'):
        print
        rule = []
        for f in gvalue:
            if f.startswith('@'):
                rule.append('{}'.format(f[1:]))
            else:
                rule.append('%%%s:char-sep:\\x09%%' % f)

        print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule)

print

print '# THREAT rules'
for gkey, gvalue in globals().items():
    if gkey.startswith('THREAT'):
        print
        rule = []
        for f in gvalue:
            if f.startswith('@'):
                rule.append('{}'.format(f[1:]))
            else:
                rule.append('%%%s:char-sep:\\x09%%' % f)

        print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule)

print

print 'annotate=TRAFFIC:+type="TRAFFIC"'
print 'annotate=THREAT:+type="THREAT"'
	THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2",
	"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
	"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
	"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
	"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name",
	"category","severity","direction","sequence_number","action_flags","src_location","dest_location",
	"future_use4","content_type"]

	THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"]

	THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"]

	THREAT_FIELDS_7_0 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name"
	,"device_name","file_url"]

	THREAT_FIELDS_8_0 = THREAT_FIELDS_7_0 + ["8_0_unknown_1","8_0_unknown_2","8_0_unknown_3",
	"8_0_unknown_4","8_0_unknown_5","8_0_unknown_6","8_0_unknown_7","8_0_unknown_8","8_0_unknown_9","8_0_unknown_10","8_0_unknown_11"]

	TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2",
	"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
	"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
	"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
	"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in",
	"packets","start_time","duration","category","future_use4","sequence_number","action_flags",
	"src_location","dest_location","future_use5","packets_out","packets_in"]

	TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"]

	TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"]

	print '# TRAFFIC rules'
	for gkey, gvalue in globals().items():
	if gkey.startswith('TRAFFIC'):
	print
	rule = []
	for f in gvalue:
	if f.startswith('@'):
	rule.append('{}'.format(f[1:]))
	else:
	rule.append('%%%s:char-sep:\\x09%%' % f)

	print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule)

	print

	print '# THREAT rules'
	for gkey, gvalue in globals().items():
	if gkey.startswith('THREAT'):
	print
	rule = []
	for f in gvalue:
	if f.startswith('@'):
	rule.append('{}'.format(f[1:]))
	else:
	rule.append('%%%s:char-sep:\\x09%%' % f)

	print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule)

	print

	print 'annotate=TRAFFIC:+type="TRAFFIC"'
	print 'annotate=THREAT:+type="THREAT"'