Generate mmnormalize rulebase for Palo Alto Networks NGFW logs
THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2", | |
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user", | |
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface", | |
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port", | |
"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name", | |
"category","severity","direction","sequence_number","action_flags","src_location","dest_location", | |
"future_use4","content_type"] | |
THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"] | |
THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"] | |
THREAT_FIELDS_7_0 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name" | |
,"device_name","file_url"] | |
THREAT_FIELDS_8_0 = THREAT_FIELDS_7_0 + ["8_0_unknown_1","8_0_unknown_2","8_0_unknown_3", | |
"8_0_unknown_4","8_0_unknown_5","8_0_unknown_6","8_0_unknown_7","8_0_unknown_8","8_0_unknown_9","8_0_unknown_10","8_0_unknown_11"] | |
TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2", | |
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user", | |
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface", | |
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port", | |
"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in", | |
"packets","start_time","duration","category","future_use4","sequence_number","action_flags", | |
"src_location","dest_location","future_use5","packets_out","packets_in"] | |
TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"] | |
TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"] | |
print '# TRAFFIC rules' | |
for gkey, gvalue in globals().items(): | |
if gkey.startswith('TRAFFIC'): | |
rule = [] | |
for f in gvalue: | |
if f.startswith('@'): | |
rule.append('{}'.format(f[1:])) | |
else: | |
rule.append('%%%s:char-sep:\\x09%%' % f) | |
print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule) | |
print '# THREAT rules' | |
for gkey, gvalue in globals().items(): | |
if gkey.startswith('THREAT'): | |
rule = [] | |
for f in gvalue: | |
if f.startswith('@'): | |
rule.append('{}'.format(f[1:])) | |
else: | |
rule.append('%%%s:char-sep:\\x09%%' % f) | |
print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule) | |
print 'annotate=TRAFFIC:+type="TRAFFIC"' | |
print 'annotate=THREAT:+type="THREAT"' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment