Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate mmnormalize rulebase for Palo Alto Networks NGFW logs
THREAT_FIELDS_5_0 = ["future_use1","receive_time","serial_number","@THREAT","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","misc","threat_name",
"category","severity","direction","sequence_number","action_flags","src_location","dest_location",
"future_use4","content_type"]
THREAT_FIELDS_6_0 = THREAT_FIELDS_5_0 + ["pcap_id", "url_idx", "cloud_address"]
THREAT_FIELDS_6_1 = THREAT_FIELDS_6_0 + ["future_use5","user_agent", "filetype","xff","referrer","sender","subject","recipient","report_id"]
THREAT_FIELDS_7_0 = THREAT_FIELDS_6_1 + ["dg_hier_level_1","dg_hier_level_2","dg_hier_level_3","dg_hier_level_4","vsys_name"
,"device_name","file_url"]
THREAT_FIELDS_8_0 = THREAT_FIELDS_7_0 + ["8_0_unknown_1","8_0_unknown_2","8_0_unknown_3",
"8_0_unknown_4","8_0_unknown_5","8_0_unknown_6","8_0_unknown_7","8_0_unknown_8","8_0_unknown_9","8_0_unknown_10","8_0_unknown_11"]
TRAFFIC_FIELDS_6_0 = ["future_use1","receive_time","serial_number","@TRAFFIC","log_subtype","future_use2",
"generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user",
"dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface",
"log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port",
"src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in",
"packets","start_time","duration","category","future_use4","sequence_number","action_flags",
"src_location","dest_location","future_use5","packets_out","packets_in"]
TRAFFIC_FIELDS_6_1 = TRAFFIC_FIELDS_6_0 + ["session_end_reason"]
TRAFFIC_FIELDS_7_0 = TRAFFIC_FIELDS_6_1 + ["dg_hier_level_1", "dg_hier_level_2", "dg_hier_level_3", "dg_hier_level_4", "vsys_name", "device_name", "action_source"]
print '# TRAFFIC rules'
for gkey, gvalue in globals().items():
if gkey.startswith('TRAFFIC'):
print
rule = []
for f in gvalue:
if f.startswith('@'):
rule.append('{}'.format(f[1:]))
else:
rule.append('%%%s:char-sep:\\x09%%' % f)
print 'rule=TRAFFIC,'+gkey+':'+'\\x09'.join(rule)
print
print '# THREAT rules'
for gkey, gvalue in globals().items():
if gkey.startswith('THREAT'):
print
rule = []
for f in gvalue:
if f.startswith('@'):
rule.append('{}'.format(f[1:]))
else:
rule.append('%%%s:char-sep:\\x09%%' % f)
print 'rule=THREAT,'+gkey+':'+'\\x09'.join(rule)
print
print 'annotate=TRAFFIC:+type="TRAFFIC"'
print 'annotate=THREAT:+type="THREAT"'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.