From 778007a588921c833479913aa2bb03b05e554a65 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 6 Oct 2020 16:18:23 +0200 Subject: [PATCH] junipersrx-module initial release (#20017) (#21553) * junipersrx-module initial release * stashing changes for later * Initial MVP release ready for review * updating a comment in pipeline.yml * updating filebeat.reference.yml * Small fix for docs * Fix parsing of juniper.srx.timestamp * Fix bad samples * Remove some fields to make the index-pattern smaller * Missing update * Fix var.tags and disable_host when forwarded * Add related fields * Add changelog entry * Remove unused file Co-authored-by: StefanSa Co-authored-by: P1llus Co-authored-by: Adrian Serrano Co-authored-by: Marc Guasch (cherry picked from commit 6c0a78617bbc9bfb1b0b5f0353adb797fb27701b) Co-authored-by: StefanSa <6105075+StefanSa@users.noreply.github.com> --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 967 ++++++++ filebeat/docs/modules/juniper.asciidoc | 121 +- x-pack/filebeat/filebeat.reference.yml | 13 + .../filebeat/module/juniper/_meta/config.yml | 13 + .../module/juniper/_meta/docs.asciidoc | 121 +- x-pack/filebeat/module/juniper/fields.go | 2 +- .../test/generated.log-expected.json | 4 +- .../module/juniper/srx/_meta/fields.yml | 488 ++++ .../module/juniper/srx/config/srx.yml | 31 + .../module/juniper/srx/ingest/atp.yml | 363 +++ .../module/juniper/srx/ingest/flow.yml | 360 +++ .../module/juniper/srx/ingest/idp.yml | 287 +++ .../module/juniper/srx/ingest/ids.yml | 363 +++ .../module/juniper/srx/ingest/pipeline.yml | 275 +++ .../module/juniper/srx/ingest/secintel.yml | 349 +++ .../module/juniper/srx/ingest/utm.yml | 388 ++++ .../filebeat/module/juniper/srx/manifest.yml | 26 + .../filebeat/module/juniper/srx/test/atp.log | 4 + .../juniper/srx/test/atp.log-expected.json | 240 ++ .../filebeat/module/juniper/srx/test/flow.log | 25 + .../juniper/srx/test/flow.log-expected.json | 2013 +++++++++++++++++ .../filebeat/module/juniper/srx/test/idp.log | 7 + .../juniper/srx/test/idp.log-expected.json | 537 +++++ .../filebeat/module/juniper/srx/test/ids.log | 12 + .../juniper/srx/test/ids.log-expected.json | 699 ++++++ .../module/juniper/srx/test/secintel.log | 2 + .../srx/test/secintel.log-expected.json | 140 ++ .../filebeat/module/juniper/srx/test/utm.log | 12 + .../juniper/srx/test/utm.log-expected.json | 698 ++++++ .../filebeat/modules.d/juniper.yml.disabled | 13 + 31 files changed, 8563 insertions(+), 11 deletions(-) create mode 100644 x-pack/filebeat/module/juniper/srx/_meta/fields.yml create mode 100644 x-pack/filebeat/module/juniper/srx/config/srx.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/atp.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/flow.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/idp.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/ids.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/secintel.yml create mode 100644 x-pack/filebeat/module/juniper/srx/ingest/utm.yml create mode 100644 x-pack/filebeat/module/juniper/srx/manifest.yml create mode 100644 x-pack/filebeat/module/juniper/srx/test/atp.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/srx/test/flow.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/srx/test/idp.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/srx/test/ids.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/srx/test/secintel.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json create mode 100644 x-pack/filebeat/module/juniper/srx/test/utm.log create mode 100644 x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fd2dbd45d003..754fa2d9f8fb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -692,6 +692,7 @@ field. You can revert this change by configuring tags for the module and omittin - Keep cursor state between httpjson input restarts {pull}20751[20751] - Convert aws s3 to v2 input {pull}20005[20005] - New Cisco Umbrella dataset {pull}21504[21504] +- New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 21fd20e6855f..0294bde89614 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -88074,6 +88074,973 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[float] +=== juniper.srx + +Module for parsing junipersrx syslog. + + + +*`juniper.srx.reason`*:: ++ +-- +reason + + +type: keyword + +-- + +*`juniper.srx.connection_tag`*:: ++ +-- +connection tag + + +type: keyword + +-- + +*`juniper.srx.service_name`*:: ++ +-- +service name + + +type: keyword + +-- + +*`juniper.srx.nat_connection_tag`*:: ++ +-- +nat connection tag + + +type: keyword + +-- + +*`juniper.srx.src_nat_rule_type`*:: ++ +-- +src nat rule type + + +type: keyword + +-- + +*`juniper.srx.src_nat_rule_name`*:: ++ +-- +src nat rule name + + +type: keyword + +-- + +*`juniper.srx.dst_nat_rule_type`*:: ++ +-- +dst nat rule type + + +type: keyword + +-- + +*`juniper.srx.dst_nat_rule_name`*:: ++ +-- +dst nat rule name + + +type: keyword + +-- + +*`juniper.srx.protocol_id`*:: ++ +-- +protocol id + + +type: keyword + +-- + +*`juniper.srx.policy_name`*:: ++ +-- +policy name + + +type: keyword + +-- + +*`juniper.srx.session_id_32`*:: ++ +-- +session id 32 + + +type: keyword + +-- + +*`juniper.srx.session_id`*:: ++ +-- +session id + + +type: keyword + +-- + +*`juniper.srx.outbound_packets`*:: ++ +-- +packets from client + + +type: integer + +-- + +*`juniper.srx.outbound_bytes`*:: ++ +-- +bytes from client + + +type: integer + +-- + +*`juniper.srx.inbound_packets`*:: ++ +-- +packets from server + + +type: integer + +-- + +*`juniper.srx.inbound_bytes`*:: ++ +-- +bytes from server + + +type: integer + +-- + +*`juniper.srx.elapsed_time`*:: ++ +-- +elapsed time + + +type: date + +-- + +*`juniper.srx.application`*:: ++ +-- +application + + +type: keyword + +-- + +*`juniper.srx.nested_application`*:: ++ +-- +nested application + + +type: keyword + +-- + +*`juniper.srx.username`*:: ++ +-- +username + + +type: keyword + +-- + +*`juniper.srx.roles`*:: ++ +-- +roles + + +type: keyword + +-- + +*`juniper.srx.encrypted`*:: ++ +-- +encrypted + + +type: keyword + +-- + +*`juniper.srx.application_category`*:: ++ +-- +application category + + +type: keyword + +-- + +*`juniper.srx.application_sub_category`*:: ++ +-- +application sub category + + +type: keyword + +-- + +*`juniper.srx.application_characteristics`*:: ++ +-- +application characteristics + + +type: keyword + +-- + +*`juniper.srx.secure_web_proxy_session_type`*:: ++ +-- +secure web proxy session type + + +type: keyword + +-- + +*`juniper.srx.peer_session_id`*:: ++ +-- +peer session id + + +type: keyword + +-- + +*`juniper.srx.peer_source_address`*:: ++ +-- +peer source address + + +type: ip + +-- + +*`juniper.srx.peer_source_port`*:: ++ +-- +peer source port + + +type: integer + +-- + +*`juniper.srx.peer_destination_address`*:: ++ +-- +peer destination address + + +type: ip + +-- + +*`juniper.srx.peer_destination_port`*:: ++ +-- +peer destination port + + +type: integer + +-- + +*`juniper.srx.hostname`*:: ++ +-- +hostname + + +type: keyword + +-- + +*`juniper.srx.src_vrf_grp`*:: ++ +-- +src_vrf_grp + + +type: keyword + +-- + +*`juniper.srx.dst_vrf_grp`*:: ++ +-- +dst_vrf_grp + + +type: keyword + +-- + +*`juniper.srx.icmp_type`*:: ++ +-- +icmp type + + +type: integer + +-- + +*`juniper.srx.process`*:: ++ +-- +process that generated the message + + +type: keyword + +-- + +*`juniper.srx.apbr_rule_type`*:: ++ +-- +apbr rule type + + +type: keyword + +-- + +*`juniper.srx.dscp_value`*:: ++ +-- +apbr rule type + + +type: integer + +-- + +*`juniper.srx.logical_system_name`*:: ++ +-- +logical system name + + +type: keyword + +-- + +*`juniper.srx.profile_name`*:: ++ +-- +profile name + + +type: keyword + +-- + +*`juniper.srx.routing_instance`*:: ++ +-- +routing instance + + +type: keyword + +-- + +*`juniper.srx.rule_name`*:: ++ +-- +rule name + + +type: keyword + +-- + +*`juniper.srx.uplink_tx_bytes`*:: ++ +-- +uplink tx bytes + + +type: integer + +-- + +*`juniper.srx.uplink_rx_bytes`*:: ++ +-- +uplink rx bytes + + +type: integer + +-- + +*`juniper.srx.obj`*:: ++ +-- +url path + + +type: keyword + +-- + +*`juniper.srx.url`*:: ++ +-- +url domain + + +type: keyword + +-- + +*`juniper.srx.profile`*:: ++ +-- +filter profile + + +type: keyword + +-- + +*`juniper.srx.category`*:: ++ +-- +filter category + + +type: keyword + +-- + +*`juniper.srx.filename`*:: ++ +-- +filename + + +type: keyword + +-- + +*`juniper.srx.temporary_filename`*:: ++ +-- +temporary_filename + + +type: keyword + +-- + +*`juniper.srx.name`*:: ++ +-- +name + + +type: keyword + +-- + +*`juniper.srx.error_message`*:: ++ +-- +error_message + + +type: keyword + +-- + +*`juniper.srx.error_code`*:: ++ +-- +error_code + + +type: keyword + +-- + +*`juniper.srx.action`*:: ++ +-- +action + + +type: keyword + +-- + +*`juniper.srx.protocol`*:: ++ +-- +protocol + + +type: keyword + +-- + +*`juniper.srx.protocol_name`*:: ++ +-- +protocol name + + +type: keyword + +-- + +*`juniper.srx.type`*:: ++ +-- +type + + +type: keyword + +-- + +*`juniper.srx.repeat_count`*:: ++ +-- +repeat count + + +type: integer + +-- + +*`juniper.srx.alert`*:: ++ +-- +repeat alert + + +type: keyword + +-- + +*`juniper.srx.message_type`*:: ++ +-- +message type + + +type: keyword + +-- + +*`juniper.srx.threat_severity`*:: ++ +-- +threat severity + + +type: keyword + +-- + +*`juniper.srx.application_name`*:: ++ +-- +application name + + +type: keyword + +-- + +*`juniper.srx.attack_name`*:: ++ +-- +attack name + + +type: keyword + +-- + +*`juniper.srx.index`*:: ++ +-- +index + + +type: keyword + +-- + +*`juniper.srx.message`*:: ++ +-- +mesagge + + +type: keyword + +-- + +*`juniper.srx.epoch_time`*:: ++ +-- +epoch time + + +type: date + +-- + +*`juniper.srx.packet_log_id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`juniper.srx.export_id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`juniper.srx.ddos_application_name`*:: ++ +-- +ddos application name + + +type: keyword + +-- + +*`juniper.srx.connection_hit_rate`*:: ++ +-- +connection hit rate + + +type: integer + +-- + +*`juniper.srx.time_scope`*:: ++ +-- +time scope + + +type: keyword + +-- + +*`juniper.srx.context_hit_rate`*:: ++ +-- +context hit rate + + +type: integer + +-- + +*`juniper.srx.context_value_hit_rate`*:: ++ +-- +context value hit rate + + +type: integer + +-- + +*`juniper.srx.time_count`*:: ++ +-- +time count + + +type: integer + +-- + +*`juniper.srx.time_period`*:: ++ +-- +time period + + +type: integer + +-- + +*`juniper.srx.context_value`*:: ++ +-- +context value + + +type: keyword + +-- + +*`juniper.srx.context_name`*:: ++ +-- +context name + + +type: keyword + +-- + +*`juniper.srx.ruleebase_name`*:: ++ +-- +ruleebase name + + +type: keyword + +-- + +*`juniper.srx.verdict_source`*:: ++ +-- +verdict source + + +type: keyword + +-- + +*`juniper.srx.verdict_number`*:: ++ +-- +verdict number + + +type: integer + +-- + +*`juniper.srx.file_category`*:: ++ +-- +file category + + +type: keyword + +-- + +*`juniper.srx.sample_sha256`*:: ++ +-- +sample sha256 + + +type: keyword + +-- + +*`juniper.srx.malware_info`*:: ++ +-- +malware info + + +type: keyword + +-- + +*`juniper.srx.client_ip`*:: ++ +-- +client ip + + +type: ip + +-- + +*`juniper.srx.tenant_id`*:: ++ +-- +tenant id + + +type: keyword + +-- + +*`juniper.srx.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`juniper.srx.th`*:: ++ +-- +th + + +type: keyword + +-- + +*`juniper.srx.status`*:: ++ +-- +status + + +type: keyword + +-- + +*`juniper.srx.state`*:: ++ +-- +state + + +type: keyword + +-- + +*`juniper.srx.file_hash_lookup`*:: ++ +-- +file hash lookup + + +type: keyword + +-- + +*`juniper.srx.file_name`*:: ++ +-- +file name + + +type: keyword + +-- + +*`juniper.srx.action_detail`*:: ++ +-- +action detail + + +type: keyword + +-- + +*`juniper.srx.sub_category`*:: ++ +-- +sub category + + +type: keyword + +-- + +*`juniper.srx.feed_name`*:: ++ +-- +feed name + + +type: keyword + +-- + +*`juniper.srx.occur_count`*:: ++ +-- +occur count + + +type: integer + +-- + +*`juniper.srx.tag`*:: ++ +-- +system log message tag, which uniquely identifies the message. + + type: keyword -- diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index 047e847bc5a1..a2d2a0100d34 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -10,18 +10,131 @@ This file is generated! See scripts/docs_collector.py == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index df4c0362308f..e2aaa82c7d28 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1050,6 +1050,19 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index be40af662027..7f9926567886 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -36,3 +36,16 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index c59b7ac4a95c..3e145ea81c90 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -5,18 +5,131 @@ == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 6122a5646540..e22907d02447 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhJDpmyZVt7o5udC213e9w7ktyrluSNi4moAFEgCTcKKAEosulf/wQSqBdWochuNlBs7d18mLCaZCKRSCTyPb9DN3T7Gv1RCVZS9S8IGWY4fY3+w/0B/cen979d/wtCOdVEsdIwKV6jv/0LQqj+DVowynM9+xfk/+s1fGr/9x0SuKCvkaBmI9XNjAlD1QITOrN/b76GkFxTtVHM0NfIqKr7idmW9LXFcSNV3vl7The44iaDJV+jBeaa7nw8QLf+33tcUCQXyKxojRhqEEObFVUUPjMKLxaMoBXWaE6pQHKuqVrTfDbYn9L4HptZKlmVd99Kn6jtsoC1wHxne+Orj60fWqJdpNDLnb/vX2H8wAan8nHFtP0eYhpVmubISERwaSpPf4U3qKBa46X9NzaIyIJqu2lpP++BRuitXKJzSmQObBzYiIPF+kgdu50aLl1TYTK7tciAPcKJqe9JroHmRApDhdH2fjChDRamRkMHcTSsOAbBHJv+B0PsmMPJLoGwQZsVIyuEkaZaMynQihmNMHpPze/MCKp1ffqzAWs0m9UrWfEcCbqmCs1pw3clVpqid9RgixpGCyWLzlJP38qlfnGFyQ01+tkA/DlTlBi+fY6MxxujD9QJC8fhooPmLEhITteUH0FJLkX/fu5Q8pyWihJsPCY5XTBBcyQFB7QMnnOKClyGsSr0Mot2Yfac8Tt/zy/Pf0BrzCt/41lOhWEL5rmT3mJiEJdLd15qcBCwO2bBe26B79njKLEyjFQcK/i9P9jZKGcMQB/FKSHOGEAe55TRI1lPeyYv/9+Z7D8Tu2qaA3nY9ZXzPzLYSP9YHg12a3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU9jEitrI61WNEjInjEEurMdWS4/FyWk7xMdIjLdkWlOYxbagRvSZkZ3a+WLsFLDYDPWSgJDzMiujpIQPoB6yIcSr2XCsTUVF0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2paKtGq2b//k/bXaP2TApiHwds5GO3bEfEzZqlFYdd6p7ZZdiCEdy9z2/lEl2sqTDoGoQzqkROlTVBFPWCarD1BbulOdLUWCA7P95dQ48bLPUhDGA/2GBpDmEA+l6HMvQExvcvHceYg33dgyb3o8FK6kT6apcvf5XadEUk73OkpiJnYll/qENs0/EhfT30Zccw2OBHo4S9vFr/hHCeKysrx657n7iD3Rv5tRJ3/So1eV/930teS630sqEvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh3/MtUPnCLY2u4CI9995sg9HHbUkRwUMJMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xBi6qA2QLtqwUqH4H9n2MuvsV7xvCoOmMzwj+BfvrpUzlZttnHdcrf/UOBqk2WOXJlLqOROtsu0vJy6vPO/oeRopy3D9ShPRWG1r4R9SjbaGtqONU7Yhn/y0VWzKBef2bXW3lAB1S6V97EiMurz6/CpDAoz+gxMNJ0GA0pHKM16dl1KHieOzrs6I4p2qS2PWvsBS6PH9IlNTh2w2WApjjYqWP2snGSZbcz4ZrReuyVbTgoljT5UxyTomR6msUwJZ6J8i5sTzHNCKOdDS3mO4oqm9lX21Bewj9CC2+gswfi6paSA3JboUUaL4dHBpCin6pqDYWoGZFybf+nOyXraBHFJMV0iyn6On3yKxUhV7+/PMztMEaaUpFs8oeSjwK5fUOlNClFJqmIwX5ariCyEqYxqdQFXMn9OxV1kEI6CmeyzXtEIOJYGZlLd60URQXo/eHfDVsc2JS0ZxVfT0tBqG+CWmOjWOBLRAz/6xefv/DX7QT6S9KEKA10v8c7Oaf1h58i7dUoZfoQhBc6oq7yIo1Ke8l10PQHxj8CORWhlb58SX6N7vd5+jHH9G/ISKV1ZdhF37R5+h/cPO/7BeZRrtE+SZ4hELm9NHaumJDM4I5n2Nyk1YDdsgJaeDaYOPsCktEKvJSMmHANDE0nOAMzJFRpWSi/LRWH9QlJQxzwBgw1UYqq1mLrdM67AdrzFnuGCOEFEILWYncvjCcAvJMLL1ydDB5cfdGDCDHiAX667AnbDRyClsucf5Y3jmPDtLsT4oKahQjAavDm8LdL4Mt7J77WgjbZx+bVqOVi/rYZuhXubFHM7Q5mUBSWWPMSHRDaXmAaI/ixftKiKYkoVpna5Zneaqo60UteZZUUIUNXPLcUrBjF66ZMhXm1mjf8b2LgIuDFcya3RArB2K4XfirfnmOlJXWGhwqQDSsltQ0XztICa0SJT2dnBIuE24/JVSSUNBQ8F+e177XD7SQhqJrz+9EUXho59sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlwfgJYvR2VWscXZ29ufK6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqXumvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FYBTH9Sk1n+ENlRRBxYbxCnWBknRKxfZJeLJ1cSvm4iBu5oibOtp97tUORAOspooWQnJ5XLbD8QtmBposQj9jMgKK0yMI6K91FvAH5zmAlXC5/TwHZ/5aEVt7IJuF6hPGUTYE7sEi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJZDUfPEn3IlKLdYPMC84WFHYcMPA1JVLkIwp2e9yZNin9LHs2xASRRcmpCTLAqBMVgwJvFOuJwU69mTInYuRru3aQncdYeZczR9mvkMKsIh1TW58aK+elzXLKT0T4C5GnILsF+acUqbst7BGLdvVaxXTptR/7FB6IqGQ3+g0y9Nb4y4fWVOlOOUW+Lw8scL4PZbYtxbG22ZbpEalymqd7B32SjX+mdLNirWPUmTbNF7vx9eFrpWQxA6gVFOVrQgVWTDq1vqi4Yd8ZRhXCZcnr6pe2l02BBV6GSnMR4hDeqe1Fh5TDVSNmnmgkN8JFxgwuyr5n0GNsV7MoDm+f0YismLVuZE71DL2rtAEzqQvU3kpsRvJysaFHHtJeAbZYWLzXdApNCA65XtDRTtEFVVQQxxDYqtY5W7PcajbAD2FBdl0Lso894oU3eVsyNdkO2/N0saBby4nM8K3brLZCz+prFilg0P2+0YiHPurCeW6lcSPPZoMlm3QyWcWWQMVAkXsoxIb+sa8KaJBfKlpNxkqWux0XtfJxgzUCJPIRvgHkfohN1IhKwQ5BE8i0ZWESvL7LIgWuZZYA1TJLoT2XMUXRLtCX0aEm0JU6r8hpTMie+Rh8YwbP5b3enGPF5iG5dkywoH0get0QYjuCMBko8TEUa13x1GGnEStKVobIgr5wODTGC2Rly8WAQ7DwJNgxIEcYhK6pYiZl6ciejdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zdumDOWE8Vryunz2YKHEDjYmR5WzBRu6hyH2QJ4u3N5qkO4fOuld61BKVCv1371Fim64SAvl8N1q9PaKxKUpdSs4iC4068Bea0yF2HKUjlr+/uaBeeipssXeuie4oiURVUMXJfWRTc2wRVbHs21q1ka26GE0vufg+2tqYil8onzO7dmZz/cYLuNXVoV87/oCRsR1vE0teCD8htJeh+xJykT9mr7pvhhfRV/17MeC/XCje5xUIahNHKd7wIJ9ByuczqRJWTCPWaEe8t1KfombIj+/4O6VbQtRrER1jxl5yRberbs0cuXAECvrm24NsRuVzxlHnTYQJ+qDgFxMLiVApDb1NrrA1Cl8L569p+qDjPtf0/eFQxrxEKNYA58DiTFRZLmgm6SS0LxgKXdNMJ9YMSYoxi88rQjoQY5uhrh7rV1rvPX1h06BJHE3YN5ThL1rZyH9HAEOznFzlkuvpbwLiFCjBLsLrhoG5zvtSaqhm6pu5QKk3VDC8ptPL2me4LqWocBrBrME5vJ/B75H7f6VshFZorubGf1X/1uqYzu0b7SV/mV1iZ2G66BnBsj4q/U3JQHTrVnZI8b9TGVFdKltQHFFO9xW8Ewpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ylaUrBk9mU/gNkw5ZNDKqXshWnsFThJ0ONeMBdhq8M/g51tmFl5ZdnJenQOC86h2kQgKb5bSvvfe14CUFKygOKYcN+4Ewx8AQhYJOUCWelgGNUzdN3KlP5gg25lVRqMz1w5X6WtEeNKRl2yTe7Fryc8RoRX2tQM6f8xOCb4CdP2JH1NtPdvWMUXPh1XgSbXftwNC1v0ri1TOqXsySHDy2J5DlggrLUkDPyl9jSC9iQc2Ft2Q18jjMrVVjOCOcqZvnmOSgUzUZ4jasiTsKKMFT6m9vKeD72rs1G4oIYqjUqsoYuXhkYOrhcBkUVhpZjcCdoPS2uoIXvVPfcenErj65xhgofJiW8ii7Ia3sEEx4bRholcbnw+LZGC0NI8bzIpRokx2Oai4nyLvlSYO+dnLgvMhJcaorMQlyNPV9frGUtd2rN1qxK+ZeKG5r4WqE5Exxq8U95AsZ9806A2Y/m+g+ODrhBJRV13spNzS/QRqNGDkVYnweu30nte0fWwXU8TdKaqYP3BTqldrH5NwNbx/35N+8fImvaC8fR3vNnyL7Bac40VzStCUR05omF3m6aKYZ4FXtNkj8g1LFmrzf33sfMA2hdm1C9AyY0+quVADI+xX90+dCusV80NtWphoMqwIiuX+VvX2DRlhmc1pF6LMLuRZpmZVsT+qvn3sNIUWXkuEIOcu0oQTrGyf4JGeC1qvoDQeztVXdh5OPrghF817PP0qF8sIos5E03f7O6D5ctG1T1erzVTlZ7a09fVRgCBcY/fNAHSwJU4c6u7nozjnlJnwSV3jTfkc17my3P03kmap75xA3LT9nzRr8XtWVivdg7oU/jyO+7ny3MgqS95a8TE0HuwG5FzaYBuCzPHRFYWbJgOG6lrvU3Zy343qusLtJ26sNePLZzxPSHXWNKfNQujy/ODmmws/9wBTdYi9lLkrUY7Q2euPtP3O+Xug/3aLCCodr/xwzfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc75+cXnV16GRbxnrPApjddlHDhS8cy1kG2lxSKJLYdA1WwoMwmKERUupUjavfTKQX5ZJr2rdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkMPb24xUXJ6Wt05RwiDixI71nYLwKRucljm+Ccap+WMGZM31iV+wi87lGK13FjvvdPwwemb/aEXI1iyyVV6UbYhUn2uRsL8DiAdrpSVK8kzy33OFt9ZNLoTuh9As/CMPbupfLTD07HeNY047g8D5eR3Dk6T2RRZhPnXcGp+NwrGOPq/Hu6mn9n0ZEC6lMXMG5G5hUZs9K8WnqirLEu5o20lAo6D1i5XuM3MiUOq3yD1Wky9IZd9a10xf4hspsYaY381ApRjN5hUvdTDiu3VgRNasdI8V2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6Xt4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTnw/n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9FBpy6M+MOS7zh3Mo9pCtCqNaLiqMLuz4iMqfaskTd7DdsWTCR09vIBOBMm+M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAQ8Tv72+DORAI+lHPXXOhEGrFfHT1t8jlLqnTpi26dhBmQzKsIbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGVlOr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0dPAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3KQ0bnTnoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHG+3vLfmG81RpJNy8vrBrclpD0dBpZX6+eVtb/IedH+p2O3t5/yLkPwIRvV8nSNc49h4Rid/LXV5focqBQddFI1rXWV5fsxyBiYVdTDbuMakjfxx/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne199ct1z6kAUJGvcUlJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+dnnC/TU10p8rrjVleeMQwEH5IFd3JZS228+Q98NHQ2iH4W5EXIjdgwhTUkFzSzWu9BHJm0SPIELrp8WelZXub/3pUlv6RKTLfo0aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJdXsCx6L3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Tzfo10qAKflO5pSjp0ysZ98+R0yS52hu/4/a/8MC861mevZtOL5oSJktOB5Mzo+tQ+1q+GdXCBYFXxfIyW09/Eou9jZqMDIppu6vc49n3QZBU2UZOYjQuogrd3uYfX73O1YUfXQJwN9++/nd728+XHz7rcu5XWOF2ShPbqS6iVmyfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxg70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSHlvs0g4GG6g0vtikrXvx9S4WxIKNOprqrSZzxB671WA3osA2++U9YaF8dD/B+zsuLPJe//8wXLVVmd3kv5OwWN7x0XtE9iJ5Euao47j78JNygqStnZPt2KVPTZPRXmfZQZ/MZ+B2G3Du4ch03bKaTREPg6KvBWbc0rpu5nLlZcblebe2DTpxWXPQ0GWghcF4VmGdc51ZFfGI/RyTeA3p1r766EwWRSX6nqgBduK4xk0Pxe49vTV/p2GdusFNH6dZPxS3ayzyf5fhqFmLm8GGHSMZHozdcOEd5HSlS0aYjJYlOpUFD9hvsBLDoMNjR12LosxkKmF8/f7dFfrN+VHbpNQwIl8mTSW4/s+36EtF1Ujv1oqLTNF+p860yQ0dh+gWfaiLzoJpXY2WTiI+pF2gMvYYAQu0PMpxdAiqCQTHHgw3jz+gAXOsigSnZcEmcC/gMmIBcgO0yqNNpd2BGbfb1Q7oHJu+VvhQuHMqyKrAKlZZSQN3W+LB+OIHR58wGaRTRYGZraLzAqGLuAVUDeDFElotJQAr538kgFri6JMwXMep6OwFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5foncWtW0d93IjJiVJbrqH3XO9At5OMiT3cAvOY4usQQGRVLJiIWRQ5Bp8iNFtki0xtmSHT5IbIFlxuNi/i5K13YwqzTQU8QdSEiYyKlOGGipKqYb6MlvA9gl+QmDfA15il4hZVZqaSRWfyQFEBf/5SBxzE+bJ7sbnK5zPIUxLaA4+e/EZEV+DYzJpbbYBew5WhOEzwKBROJkGYiHdIl1xmf8yx2WHQH9vcJgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2vyaE/T8Twv5LGthGlhzPaQqR0kCPb56JrKg4KN/zbYJ3sgZe3iTQS4qKs2VRptG+rZaJ+TJ2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtSb3VVJphFSkRTVp3EVDXSWNOD3iYQIUYaa5ilgg1mTRLglWC3AgupKUnAhOtXliqJHoX1K1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtnzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv0qjQ9aZ3Nm/pKk0RjRWdxZcT3ASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm5fz88Z0jDjiofUmAu27y8TrIdWAvGKcpbBidLVIcIlvELM7eBZxCN9AZKyFJMUsi6li5/inXphw0848EWyuSBDZnC5rCjNHgaC5ozqIVjO7CZiINlxQyrzjVRKagtgfOlglkkyz1BpuoM/870EMZ5FEAK7pk2igc3xPSwk6g8SlapiK1SkZrDZ3IVSL56jLzHYsngG4UxUUCRdKVAqVCO51yvVlJpjM3YTY+9C1WOAmD5yOFsDEgr918+9hwmTZYRJ9znGszr1SsYYE1VOpmBaWAWkXHNb4eXdckxwYLkxsW8YddH9tpYB/MJc7z2HeA5bHDqnXroARvESsyoqQsknQlsoATmGmsyNIkR/qORynIXN5Eb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TIJ64plkgtcShVbgBXzapnimhVMkxRiodBJGDbFHAhBDTRXig43ugx3DaBjZ/w5qLHT8cRmE9sCSVJRJt0A6OiWqIyvGUnFlllgHteD4W4EVfHfrDJzQ3mjg406mboF60a8JmGyBIWbfiZObGHgwcaWBmXmHEnR0cVa2w8zsopV5z8ATW9LFj0QUFJVLBUWZtBzNwbkTRLA8Z9e14ns06feFNAIgJVcZliXEQcGdEErHBuqopin0O8UJUAH13U0EfD4RLaQ47Zw7UCWKk+AcXxHpk7gG9bON5wgH0DT2IkAbuBxAuNE0y/xGSDUoDUa1ASmlGbLBIJXl7G9bFqRFPdAkTy6Iq0VCXXFjQDYxBux1YVZ6ehdNddExC6UCE6LfShQ16Qz9vbN0sRnKwc0fkSvmekZG+62jN6ttcrnSfLQK8UTvIWVpirLWeyq9yRjK+rIUAoyGKINLmJ7g9cZE9rgRQLNYM2USaGGr0uRoHWTkaoSMd2sobZogY6ibyoj0YdKoMHSTfZIwmF5nzFnOTpTNGcGnWGV+26GGtq/h9Fxk7MSUmlsQiiAgSH6CPobEMlRqFSnyYdgIh3lLoqSyy0dDBY8SL+FrKI19b4jj1kaOp8RzDtTdElvUYH7jRbaWKxYVv1hIMmR5EzDcIZ6dX/00EAJ6aospTJo2HgUoc0KG8QMKhVdjLHCA9Jy7zOEIkR4b3U0KCAmfGf3kb7QnInUE/k7qNrVunhqZOSSmhVVs/b7eiWrwYuGkKBrqppxREaiEitN0TtqMEwEd3cVNyR4+lYu9YsrV/b6DJ37EV/PkVkFphRBM+AP1I8+BrQFek/N78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGC40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWNN2t8yosiz7SWwO3YsxdMMU06hGB1A6uew8TqgUfmXgJ3XMTjgOH/rmaGqTol4pqs6dp9/HZyvfvle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXb8O7jzm7P/D8w3tYpfntVCAtcO8AVZDvCTee7KwfVzmWFPk0rUbbNDgVjWn5H9xGnxFMwq+wVwq174+SEaEsEaaUhh3hvfPq1JYaEwmGO876DDtlhag9rZMQyoFE9D2IV1SVTCnbkyFdLukG8zB1ozTJUWcrilHWGu2FO7g2nn9YdaHlswnlN+w/h5On59k0rPFrBLsS0X7YxJx+PJ18D2uY+JxU1BqjYbl7kISKQSF3Aq0YWY1JigQClSGNBq7okeVF93btLDkBHnSPFFcLhnBHFkMRkwfwOK02MFSI2MaT0e7crXVYfQ66Wwb2ctqjf3AY86wzlYyuU3gjLjGXINZKu1QIysVuyN4wv0AkLs0Flt40/wgFsIpVrM3XEtriO/ct3MIlqNf/S9m6I3YNv8aQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Tf9s4AZizsHwsw/q5ff//AXa/ued46jptg3QbQ9n2ZxI2Z3ddzgLVXoXxufnH7h0QDkwrc+dv1Pep4XLc47XL/3PI5MXj4k2570B6bYdWbo/W8fL+zeqaLOeQL+0pxpomiJBdlardKrZ7yfC4KAQs/Rx3ev0aUwP758ji7fn1/812v06VKYVz+hp5vVFgnKzIoqRFZS+1FpUilKDHzrh1f/+/979iRIEWpWCWVcnx4gU2cFDo/j0Ym5757X/Nrx4mWNVPiK548L6a5sOoD5kQ3j7vzAh/DtKaatdfKZKVNhjt6+eR9E9k8paDpf1nGc8X+koLMwbS26X40IhY0cFp5wBI/xDd5zDkts6AafYEQ6cPcVepPnCvy0jstD6DRPLynKY+OcD42FXJ69u3Kv0mh4rMB6wujHjlPJaar+7UaXVxaVEe+XpeGRkyCi0NCuPU7DWhPL3HStaQVEB12c58x+GfM2YNuZ5R9+5yZkAGsSwgWX/oaf77LAAJU21zqJXnfXJw2j9x7DK6lMI5IHQjeHABscADPbw5JXT0x7tx8mlvVjUm/r3RjhBQ3ZjVN5cT12YPlirSVhVuV0fqOBjoOsXFZYLOmsMZ2IFAu2rBTN0XwLMKnIIWsoLGfKI1sPDIpGR7Tl4KKLBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8kYAlFgmqhXmK65Cq/0mZgKg4z2pPXDq1vG/B233M+qt1nQkn0GAvzIoqQQ36uC3pc/SpfsbeggPsR3RVO8AGL8FvY5paPapnAmVixDSukfZ+8ecIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9uhwVKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53Qi9WUKyl0LY3vhbyKWbU7OhVIRVz8hdE+8b45YG826oziGDoGU8ZEYMdsiEz3OFtISCGSuW/IiN8BbXHIsp4vh3cFDWCSIdF+Vgg7suyzaSsrYW7BIM2N2XJ3akkhLoQrCO1w/ubhF7rAwjFccKQb9oVCPx9OL29Vu5lItFePo7JZlZ0eTHu4PsR7ugu40dvC8s3hbdN5VZUWF8svgo2rqK2Tnhbgk9bslx1D9pqkYRlpUhclpK+yXHEb6uCKFaj+AMncePa452XOIJ4IWsiruUaosChQkD3KYQTjs40h6OVipBgE+XUth3xcqtkHLY/BANFKXdXa3j9aMbeTcxcl1LoWaAM5o3+/F+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0R+YIZ/CtFLIYyauFmRyauRb10yoRVrlnIrfyRyrdEACjXxin6I1HbDYgw12cvaLZmLuTownjzf5Pkq4wSoJrn7UQlwqhPQYIEbPe/QGEcPl6175eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buQuA5hyKyBTrbjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+TloQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+WGmjRoPftZ7Oqbt1sn29HL/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGgw88BnVH1jqmd/fJWOvHu+3ph0xHG3J65615h/GhHQ72BjtuBcIdhMHXu7uXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5edvzx8JHFGm0wzZHdTT6qSSVIzDt2B/kxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR1Pkju/bUWkT18mcgT8l+zn7//Hj19e/7m6hk6Z9owsayYXtEcSuGDuHC5lMn7Au2LhEG27MLh4Y8ZvjiSMaZkYq/ivvpPe6ohDJobAx75aEOf73NdCKT9N3W/Hccf4BSKmWIRapPeZophHqs7XW8jH3DOKu1WQFIhzQrGsXLiyYpNe4cIvOvh8iq455rlU3Ya6WbKf7KMUHsRe30x20uers7ijdh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7smqFulY4a7EPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRT1fYMCqMPpgez/GUu32LT7pZ1/qRlokY116dJ1ZwlVgZaIbUbnW/WJ2w2ZEXNneRqAuaU4UNzbNoSWV7+MMKn1/qFZvg2ZWSa5Y3zcP893BZcq+pDhjDN/+xz9quThtWcNpNsnyiXTZL+l5/ZjuyzeDwUMicXDMXPV/1FfeRFnCN0hlzKPh9NU96CzpT50edSuhlYKNORwWNFWukjVRO4ltoBTUYVnsC35rZbz0J775gec7pdFLuHax3VzkXON6O3DtKztXjMabZ7pVfrdNhSGzr6OxzVHJsj8y+z1IhKojalmNefkiFnMCevEMGnWpsy1+lNugdJismRky6HCeSHN/0af1JQKZ/qagVH1Y/ck3O9Ay9zXGJPsM/nH6US+HqTv85fDzRCq+p1Zw4xQp9qajaIuhBqEspNK01qnBxqt1vBr+ZRl76HnjEQlas7gIp3PZdX75xPOstTYBqy0AffHPUu2IKU57SOsz6PF63lt5pYmRtQ//wMo1UJUTQjtXPm5fHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH7yPFQn6PNkhxfEbs/h2+bcoKfQEZYK0j5DELp81qEWqgS842/pEpMt+qR3G982EdiiX0gbPbvWrjCBwT7y2ndNLUAFatWAyeyLOKB40wcgUP2/U2kK5TxD8u1uO71CPdad16nXgR3DDoOM5n9zxGanyesd26rP8PWu91rWXcDWx7uADnczjcOuCRjsnk2bkOmOYXBC4YYUh4ufoWwg5kjA0Qo32HJOF0x4Xz0IJ+jqV+BypOkgYHdUoVgi3FoHTE/9iy0YG59t6r37XkojvSkbH7YxmKyKiVvgt6sCwdHAOuoeR5IhL3Mm4k0Qi3o37JahqDDt4xkQUt2yHTgW10a7Le8PTO0cYJ327TuAdYlVzVP2z8/brWxWbNBKHdnbYW1Zl/x+p+2Z6DNLXFsLqbbpDvyvusTibwc7xtSI7HZRr9Xz0NNkyfLXFwD9wN5OphINdlX3W9+/q1EuyKgwSpbHiI5cVvOBc+FOPO7XtNY2PVCOADi66o5p7+GZLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5JXSN0QH70rMgasw1N2xV98SVVjsAvFedb9J8V5mzBaI7Ooe7ZOQeDqGzoPCNS3rATBd1/p3Pk1m/tZ8zHtPno3WbbcHhZGVC5jxxheviuf2iW8FN2vDva+eRn6OO2dFtvPQeWOO4Exw9P0UUWtZlsD22Lg3NEqCc61La2j8wUrrpGudzFznkWS6lqbz+EmD+8HTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTWUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftduLi9ZbuPkEGsun/6Bx0maI0P/GTliqpp/BFWZ/cZT0/PYPTjM3QG64dRo8pM1CxlhM5nVPnhn3QnC3NPc16aNHTcIWTnwO2iT3SnU/Tek2Z/HuuVvH9rlPBpo2v2Z9hbw24SyZTLf1wgQZfSMHeA5QrrkQlQmkzdVqhzlG7x8eGC9qiTTYAaJLj0eKxunF7X34QTUjRbTlFRsdvfqJl6+HF00LKVJkzrKrrSCZAhWSqdt+5hMRTAkCqV1Ac6OJSu9Lywi6NrCE7vk06TZEg0ncF9FPnpNaR27n+MOtLzOCTvLz334DguQrXm2Trli94PqXpHdhCZPLOsh6vobRp1KsDshnqLOlFzg2/acSXdBwlk609IQ7xOKnR5/eYf767QlX2n0G9iZPpKi22iSupjsP24kWFsQQyRFSU3+ign8t2EcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsRu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4EdwmthR15YtUzGwP3CgiiyJpn7g74u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+yteRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dqd4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLadPsOwXGOy4WOfYNTsJNor5+8VvV5dX6B2+LZjIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL489116PRZ7MeTTHcqJewXUOy7+29cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/zbnmNxwpg3N//rC/+158ykTC0rCHy2YohvMg4oMnvPObxAWOdISjbClokumjdpay35KYVFis/LN+hscUB+HAZLglJoKTVcI7eq1iFSdLuSNPtlgToXp5KTUePuBjLNmmtqsd/nHcR/DO6cLXHGTwZ14jRaY75Qi72xpN4P/fSc5op4U2Y6Mb8vWjMKLBSMwSGBOqUByDn0jOg29mnPR+B6b6V/sA1sZ3vrGZWyxFonVyUKnbpM0IlEU3qCCao2Xvi8RkVZ+wwCzkCL5Vi7ROSUyHwn7eFjRfVSu53PEBKYewlNKIyjCtC+aXCAmtMHC1GiEbXzDjnrE8+E7FVTF4R4ya90aV+fUjidAK2vbwoTd35kRVOv69A9PQRB0TVW3QUWJlaboHTUYNHVfc9ss9fStXOoXVy6p9tkA/LlPB2vVCow+UCcsHIeLDpojnWToOokL52HR5kIv0yrP/ozf+Xt+ef6DD7i4tm+tdQ09AW4xMYjLpTuvYV8b2B1MsvbcAt/Tu3OH7O/9wc5GOWMA+ihOCXHGAPI4p4weyXraM3n5/85k/5nYVdMcyMOur5z/kQV7XT0a7NapQqUPQ03RlFmxDydbqvv/MMzA9ktXcP8w5HCVM5NBP+rHiN6u4fSIEFtFnKgbFTEmjkMsrcZUS47Hy2k5PWpYbFqyLSjNUxeBjIctum0TXSNJmg/0kIGS8DAroqeHDKAfsCLGqTh9nXl/MG6QfI5cg21GIh8KUPDe5CNTqNU+OtCo0arZv//TdteoPZOC2McBG/nYLdsRcQNN6hKKwy51z+wyLvmlc5/fyqUf6+qrGKCXnDVBFPWCarD1BbulOdIUJu3u/Hh3DT1usNSHMID9YIOlOYQB6HsdytATGN+/dBxjDvZ1D5rcjwYRWyzs4ctf67xSz5G8z5GaiqbzMJdLHWKbjg/p66EvO4bBBj8aJezl1fqnth/gyHXvE3eweyO/VuKuX6Um76v/e8mbuPbJ07gvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh376Z34XvKXYFF+m592Yb7CqsCR5KkDmtk0c/XQrzwyskFfqFS2x+fLmb5kWkWLBlpcbzW9p9H6PufsX7hjDoYy2bBMt4gp4ZY9kxdTXR1+5gkGqDVZ5Mqds/qd4pJJ939D2MFOV4mJrmWqv6R9Sj7ZthAqfqtsuHVGzJBOb1b3a1lQN0SKV/7UmMuLz6/CpAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0OX5Q6KkDt9usBTAHBcrfdRONk6y5H423OTgtooWXBRrupxJzqFv6tcogC31TpBzY3mOaUQc6erxcB1F9a0cjrMYJ/QjtPgKMn8sqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevo9MitVoZc///wMbbAfJVSvsocSj0J5vQMl/FydZKQgXw1XuKEqtU+h6btqr7IOQkBP8VyuaYcYLFyiU4s3bRTFxej9IV8N25yYVDRnRzVNOESob0KaY+NYYAvETN33B0T6C9cmtEZ6OM7qnwjqRbZUoZfoQhBc6orjplnZveR6CPoDgx+B3MrQKj++RP9mt/sc/fgj+jdEpLL6sus5UA9T+x/c/C/7RabRLlHC7S+EzOmjtXXFhmYEcz7H5CZ96VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8Ddkhd3b8QAcoxYoL8Oe8JGI6ew5RLnj+Wd8+ggzf6EYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6obQ8QLRH8eJ9JURzgymydcqB5xe15IGxVG4+tYBJ/B27cM0UjEy9PN/1vYuAi6M70x2I4Xbhr/rlOVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOrD9ANv5nRTBTFfhDQiKC0/6sDMV9B4MWvlOmSs9TdSx6tOa9ZqkLYB6ZIH9c06q78DrfOvgH1RCDPdbXV4p+Q/x4RRideBuOCJonRwwggqdDV2Zsrr/sSLCx5WFFK1dd4ETyRX10aRPU43B+f3FMFhnho1C0amvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FdTVzwvU+o/QhirqwGKDOMXaICl65SK7RDy5mvh1EzFwV1OEbT3tfpcqB8JBVhMlKyG5XG77gbgFUwMtFqGfEVlhhYlxRKTQvshi4Sa4o0r4nB6+4zMfraiNXdDtAvUpgwj7pi1Yi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJ7jYLbw+RWqwbZF5wtqCw44CBrymRIh9RsNvjzrSZoKF9aENMEFmUnJogA4w6UTEo8OONprXBypyIka/t2kF2HmPlXc4cZb9CiuidkPNBgsSDmx6I/ESEvxB5CrJbkH9KcaLuOfXqtYrp0ms/9ik8EFHJbvQbBMO4/Qhy3w63xi7flwcWON+HMtu2Pwr84SAVJVLlNE/3DvokG/9M6WbFWseoM22aL3bj68PXSsliBlArKMrXhAqsmHRqfVFxw74zjCqEy5LX1S9tL5sCC7wMleYixCG8U9uLDimHq0bMPNFIboSLjBlclH3PoMe4npo0vH1GI7Ji1rqROdUz9K7SBsykLlDXPWskLxcbeuQh7RVgi4XFe02n0ITgkOsFHe3c0DRBHENgq1rnbM1yq9kAP4QF2XUtyD72iBfe5G3J1GQ7bM/TxYJuLScyw7dus9oKPauvWaSAQff7RiMe+oFu37U8mw2WbLurVbElUBF9FGdD/9hXBTTILxWtJmMly92Oi1r5uMEw9rTqNuDqolkCcrFGPTREjagU7BA0gUxbFibB67ssUuBaZglQLbMU2nMZUxTtAo016qOFmkBX6rwipzEhe+Zj8I0ZPJf3enOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xU/UNF9WhsiCvnA4NMaLH+Ay4BAsPAl2DMgRBqFrqphJ3Rp0rPu0X90XAY6NJu25fCYe3OZe6abSxUKDuJMbdd8aPmHt1gVzxnqqeF05fTZT4AAaFyPLB5Nhm0mwQbxDU2QSHsLnXSu9awlKhX679qmxTNcJAX2/Gqxfn9BYlaQupWYRBcedeAvMaZG33YWbuzvahafiJkvXuuieokhUBVWM3FcWBfc20eTnO1SyNTfDiSV3vwdbW1ORw5zkg3JLzv84QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhmdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUj3luoT9EzZUf2/R3SraBr9bDtd6P4S87IdoppOyNy4QoQ8M21Bd+OyOWKp8ybDhPwQ+Wb/4fFqRSG3qbWWBuELttRAXV1VZ5r+3/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q9fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0pf5FVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i98IhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvlO0pGDJ7Mt+mGIuym4f/dA0FKfHvWAuwlaHfwY780M1WlmPzmHBOVSbCCTFd0tp/3vPSwBKShZQHBPuG3eCgS8AAYukXCCYMM+onqHrVqb0Bxt0K6vSYHzmyvkqbY0YVzLqkm1yL36baSaEV9rUDOn/MTgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7Mkhw8tieQ5YIKy1JAz8pfY0gvYkHNhbdkNfdwYZwuDC56hUMBPlOaKGPAkryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57D06l8XXOMMHD5MQ3kUVZDe9ggmPDaMNELjc+n9ZPm3zeZFKMEmOwzUXF+RZ9qTB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCZuaO5rgepEdKzBO+UNFPvJNw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9365Phddvpfe8outhu54m6ExVwfqDnVK7WP2anTF5+zXtHyNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0i1ztj/PvvY+cBtC/MqF+Akht9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDM9qSL0WYXYjzTIzrYj9VfPvYaUpsvJcIAY5d5UgnGJl/wSN8FrUfAFhPfm1Luw8HH1wwq8a9nl61C8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBJnbnXXk3HcU+osuOkG1zov8+W5H8GNnvrGDfVsSlf0a3F7FtarnQP6VAP+vfv58rw737URE0PvwW5EzqUBui3MHBNZWbBhOmykrvU2ZS/73aiuL9B26sJeP7ZwxvfE447PmoXR5flBTTaWf+6AJmsReynyVqOdoTNXn+n7nXL3wX5tFhBUu9/44RvvjptXpqnclKZ5jCrBqXaUke5B2Ui0xorhOR9UAbqmDEygkuMRQaCp0En7o+wcaFdVdSvPrKSyGkZdX8jsOV+/uLzq69DIt4x1HoWxuuwjBwreuRayjbQ4JNGlMOiaLQUGYTHCoqVUKZvXPhnIL8ukV7XuJqGrI/ynRaRzl4HLchlgnPe/fURMEF7l1IozP8jW/nyGnl7c4qLk9DW6cg4RBxak9yzsF4HI3OSxTXBOtU9LGDOmb6zKfQRe9yjF67gx3/un4QPTN3tCrkax5ZKqdCPswiT73I0FeBxAO10pqleS55Z7nK0+Mml0J/Q+gWdhGHv3UvnpB6djPGuacVyeh8tI7hydJ7Ios4nzruBUfO4VjHF1/j1dzb+z6EgB9akLGDcj84qMWWleLT1R1lgX80ZaSgWdB6xcr/EbmRKHVb7B6jQZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNV+KeRszehDrRXFOnpusDbYVLEU58YfhRk/mdlhF5/LW8TyF+Pvl31ZqykwtBh9GjQ+dnfBYhG+uvU7lnj63oDJz4dz9455zpiQVawYZ6eORC+j3ykrSWM6HQYe2Z8iA07dmXGHJd5wbuUe0hUhVOtFxdGFXR8RmVNtWaJu9hu2LJjI6W1kAnCmzXGa5wNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+J39bXBnIgEfyrlrLnQijdivjp42+ZwlVbr0RbdOwgxI5lWENiG+7vD0bKTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnneoJwusA8B+c6XdQzfZ2tarXhNFcdbKOQy0j+u6GngRtoPwOr2v6aLugrc+eq1YaaCxowouLHWNhg2bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk+EDj/b1lvzDeao2km5cXVg1uS0h6Oo2sr1dPK+v/kPMj/U5Hb+8/5NwHYMK3q2TpGueeQ0KxO/nrq0t0OVCoumgk61rrq0v2YxCxsKuphl1GNaTv4w/zudVh5d6JiGwu89QVX4OKu77S4XFBFpcR9WgVv1uCCxlMUHnecQH70mGXQNvEQ9iS5U0oZ8SJV8S2Ggdl4BFe/nhKXrPvskr5TNXTva8+ue45dSAKkjVuKam6XgSX+jWnofLWugvTvsSNCRwhQa94vusQaaor8RozjoeBDNS4whHUVy6oUiOTFtwdOsbXHy/u5o2VwjeAcgHYwZZ8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelxjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/Zv0mWJxabgejKr/OzzBXrqayU+V9zqynPGoYAD8sAubkup7Tefoe+GjgbRj8LcCLkRO4aQpqSCZhbrXegjkzYJnsAF108LPaur3N/70qS3dInJFn0aNdc4myt8iqJ8v/AOiZlABWZioXBB96ZjlFjB1N70fRJ2lMsrWBa9l7lLjm7bAnayzgJIoQPaF6QKWEKkspB2+8a9pxv0ayXAlHwnc8rRUybWs2+fIybJczS3/0ft/2GB+VYzPfs2HF80pMwWHA8m58fWoXY1/LMrBIuCrwvk5LYefiUXexs1GJkUU/fXucezboOgqbKMHERoXcSVuz3MPr/7HSuKProE4G+//fzu9zcfLr791uXcrrHCbJQnN1LdxCxZPnjBfq8X7EbYRp1gWMRWInzNTtwuJc1zgIl9LrYJTJiFVFRoRmIKkI4rKQHGRXwvSCA+EAtotsFsOJz4wd4B6H0eG6i9PrFL1HU1T3QpzDzXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDDVQaX2zS1r34ehcLYsFGHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrtqqzG7y30lYLO/46D0ie5E8CXPUcdx9+Ek5QdLWzsl27NKnpslor7PsoE/mM3C7DTj3cGS6blnNpoiHQdHXAjNuaV03c7nyMuPyvFvbBp24rDlo6DLQwmA8q7DOuc6sinjEfo5JvIZ0a199dCaLohJ9T9QAO3Fc46aHYvee3pq/07BO3eCmj9OsH4rbNRb5v8tw1KzFzWDDjpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGxo65FUWYylTC+fv/uCv3m/KhtUmoYkS+TphJc/+db9KWiaqR3a8VFpmi/U2fa5IaOQ3SLPtRFZ8G0rkZLJxEf0i5QGXuMgAVaHuU4OgTVBIJjD4abxx/QgDlWRYLTsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtF5gdBF3AKqBvBiCa2WEoCV8z8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2TuDWr6O87ERkxKst11L7rHegW8nGRpzsAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KTBvga8xS8wsqsVNLILH5ICqCvf8rA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJsZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+/uEwKN3Bu/Ajt0LsQs7dlVvF/bPCWG/Sgj7XxPC/p8JYf8lDWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMvbxLoJUXF2bIo02jfVsvEfBk7CclDZimUEk2/kPi+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlBbxOIECONNcxSwQazJgnwSrBbgYXUlCRgwvUrS5VEj8L6lSzNiuI8gVtNFmVGeAIftgWcIEgCcNV8a+K7RS1knQRyWWUJYhpEMcMI5gkKiHSGl1SQbcSsqy5sgfn2T5rPU+C9zqANaBLIrh1MGqxdYm0S6PNluX6Vxgetszkzf0nSaIzoLO6suB5gJaOLap3kmgNUSlT8KjftfPzRZm11AFOzcn7++M4RBxzUviTAXTf5eB3kOrAXjNMUNozOFikOkS1iFmfvAk6hG+iMlZCkmCURdaxc/5RrUw6a+UeCrRVJApuzBU1hxmhwNBc0Z9EKRndhM5GGSwqZV5xqIlNQ2wNnywSySZZ6g03Umf8d6KEM8iiAFV0ybRSO7wlpYSfQ+BQtU5FaJaO1hk7kKpF8dZn5jsUTQDeK4iKBIulKgVKhnU653qwk05mbMBsf+hYrnITB85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuj+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRkLm+it2cqdfyWpazUpWKRgXJsmKmiZ59xJmi8FjstVB11ok4DF4pv47u1uHRdT7MFl9Gf8wZ4gpR/a/NGlzoWaAKJY23oBKhGz03gcpmEdcUyyQUupYotwIp5tUxxzQqmSQqxUOgkDJtiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekzBZgsJNPxMntjDwYGNLgzJzjqTo6GKt7YcZWcWq8x+Aprclix4IKKkqlgoLM+i5GwPyJgng+E+v60T26VNvCmgEwEouM6zLiAMDuqAVjg1VUcxT6HeKEqCD6zqaCHh8IlvIcVu4diBLlSfAOL4jUyfwDWvnG06QD6Bp7EQAN/A4gXGi6Zf4DBBq0BoNagJTSrNlAsGry9heNq1IinugSB5dkdaKhLriRgBs4o3Y6sKsdPSummsiYhdKBKfFPhSoa9IZe/tmaeKzlQMaP6LXzPSMDXdbRu/WWuXzJHnoleIJ3sJKU5XlLHbVe5KxFXVkKAUZDNEGF7G9weuMCW3wIoFmsGbKpFDD16VI0LrJSFWJmG7WUFu0QEfRN5WR6EMl0GDpJnsk4bC8z5izHJ0pmjODzrDKfTdDDe3fw+i4yVkJqTQ2IRTAwBB9BP0NiOQoVKrT5EMwkY5yF0XJ5ZYOBgsepN9CVtGaet+RxywNnc8I5p0puqS3qMD9RgttLFYsq/4wkORIcqZhOEO9uj96aKCEdFWWUhk0bDyK0GaFDWIGlYouxljhAWm59xlCESK8tzoaFBATvrP7SF9ozkTqifwdVO1qXTw1MnJJzYqqWft9vZLV4EVDSNA1Vc04IiNRiZWm6B01GCaCu7uKGxI8fSuX+sWVK3t9hs79iK/nyKwCU4qgGfAH6kcfA9oCvafmd2YE1eFzHjJ1EuItYGR3c4tgcbdZTbEiqxkTLIgfzNydoL92T3zCLAxIhnjBcSVg1u+ygjmudRP3cAP3Xr/2PXtK34672VPThNvPLx4x9u1BZBFrmu7WeRWWRR/prYFbMeYumGIa9YhAagfXvYcJ1YKPTLyE7rkJx4FD/1xNDVL0S0W12dO0+/hs5fv3yncqA4zlcas6id33SDV5p7vulH04OYwgNrbzd+jQrl8Hdx5z9v/h+YZ2scvzWijA2mHeAKshXhLvPVnYPi5zrCly6doNNmhwq5pT8r84Db6iGQXfYC6Va18fJCNCWCNNKYw7w/vnVSksNCYTjPcddJh2SwtQe1umIZWCCWj7kC6pKphTN6ZCul3SDeZga8bpkiJO15QjrDVbCndw7bz+MOtDS+YTym9Yfw+nz08y6dliVgn2paL9MYk4fPk6+B7XMfG4KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0aPKi+5tWlhygjxpnigul4xgjiwGI6YPYHFa7GCpkTGNp6NdudrqMHqddLaN7GW1xn7gMWdYZyuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq9kbrqU1xHfu2zkEy9Gv/hcz9EZsm38NoBuw5bUwCOczIouyMlSFxXASN77dWDrz7Jv+WcCMxZ0DYeaf1cvvf/iLtX3PO8dRU+ybINqeT7O4EbO7Om7wlir0r41PTr/waABy4Vsfu/4nPc+LFucdrt97HkcmLx+SbU/6A1PsOjP0/rePF3bvVFHnPAF/ac40UbTEgmytVunVM97PBUFAoefo47vX6FKYH18+R5fvzy/+6zX6dCnMq5/Q081qiwRlZkUVIiup/ag0qRQlBr71w6v//f89exKkCDWrhDKuTw+QqbMCh8fx6MTcd89rfu148bJGKnzF88eFdFc2HcD8yIZxd37gQ/j2FNPWOvnMlKkwR2/fvA8i+6cUNJ0v6zjO+D9S0FmYthbdr0aEwkYOC084gsf4Bu85hyU2dINPMCIduPsKvclzBX5ax+UhdJqnlxTlsXHOh8ZCLs/eXblXaTQ8VmA9YfRjx6nkNFX/dqPLK4vKiPfL0vDISRBRaGjXHqdhrYllbrrWtAKigy7Oc2a/jHkbsO3M8g+/cxMygDUJ4YJLf8PPd1lggEqba51Er7vrk4bRe4/hlVSmEckDoZtDgA0OgJntYcmrJ6a92w8Ty/oxqbf1bozwgobsxqm8uB47sHyx1pIwq3I6v9FAx0FWLisslnTWmE5EigVbVormaL4FmFTkkDUUljPlka0HBkWjI9pycNFFgn4HPKLu3y3hiu4AULSQhmY+szt+nlF80uZCZzhzqfgJQJdGpQG+SMASiwTVwjzFdUjV/6RMQFScZ7UnLp1a3rfg7T5m/dW6zoQTaLAXZkWVoAZ93Jb0OfpUP2NvwQH2I7qqHWCDl+C3MU2tHtUzgTIxYhrXSHu/+HOEOQ8qE2X7RUhwwwoS89ZU2TeQCSORNvCYM4E+XY4KFAIJssnkVXSRbYHKMsHYNwtYUR07o9eCTVDi4l7E2Kno4G9PgK0brZBxKpbRJ0UCzlb5SKiFjmigTuXBvBOAEYhAOsECYfSLVBus8uGcboTeLCHZSyFsb/wt5NLNqdlQKsKqZ+SuifeNcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfw7OCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wd3t4g9VoaRimOFoF80qpF4enH7+q1cysUiPP2dksysaPLj3UH2o13Q3cYO3hcWb4vum8qsqDA+WXwUbV3F7Jxwt4Qet+Q46p80VaMIy8oQOS2l/ZLjCF9XhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/hWClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjNhuQ4S7OXtFszN3J0YTxZv8nSVcYJcG1z1qIS4XQHgOEiFnv/gBCuHy9a1+vEZsS4wmhc5myeiCw+Tld4TWTFWiXRBalkgUbyVCkUyN3IfCcQxHZAp3tx42JdSN2EiLZx3BH60RBBHYwjDpc5ggEA+s3+KU+3c4r2963UbZryywrYfrlbLE1+hzKwDNyjFl/Jy0I3uMlFVQxUm8JCAKJfv3UAmZW8NSGZrshj+yM/DDTRo0HP+s9HdN262R7erl/T169cGsl3FfQNG2McMMKqq1cd9qeoiUdDSL5U4jWFOLgQUDjwQceg7ojax3Tu/tkrPXj3fb0Q6ajDTm989a8w/jQDgd7gx23AuEOwuDr3d3Lg7tTk56du2hR9qYOn1y0XqrTCJADcrwRIF8vO/54+MhijTaY5sjuJh/VpBIk5h27g/yYlB1j7m3AjI1SDyVoPT919MqdyqyygpqVPEGUBO94kpFDw39t9MChl5KSSb1Oe6I6HyT3/lqLyB6+TOQJ+a/Zz99/j56+PX9z9QydM22YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHP97kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreRDzhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1lGqL2Ivb6Y7SVPV2fxRuy76xDW8JWGHf+vdxLBJwNe8I4b2inLyMOuTKlSJgYMQjZAaqmWWLA/92RVi3SscFdiH0HpLk+NkHvBVLCWNFHXn1/scvBauBZfrnfRTlbzrxRzsyJYUVQqmsuCCRwsuOuIpytsGBVGH0yP53jK3b7FJ92sa/1Iy0SMa6/OEyu4SqwMNENqt7pfrE7Y7MgLm7tI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7ErJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPy+mie9BZ2p86NOJfQysFGno4LGijXSRion8S20ghoMqz2Bb83st56Ed1+wPOd0Oin3Dta7q5wLHG9H7h0l5+rxGNNs98qv1ukwJLZ1dPY5Kjm2R2bfZ6kQFURtyzEvP6RCTmBP3iGDTjW25a9SG/QOkxUTIyZdjhNJjm/6tP4kINO/VNSKD6sfuSZneobe5rhEn+EfTj/KpXB1p/8cPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41e43g99MIy99DzxiIStWd4EUbvuuL984nvWWJkC1ZaAPvjnqXTGFKU9pHWZ9Hq9bS+80MbK2oX94mUaqEiJox+rnzcvjIs+ujdRIjZ2HmHkLM/1BYLRhIpcbjXRJCVswYj95HqoT9Hmywwtit+fwbXNu0FPoCEsFaZ8hCF0+61ALVQLe8bd0ickWfdK7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rLmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in75+ftVjYrNmiljuztsLasS36/0/ZM9Jklrq2FVNt0B/5XXWLxt4MdY2pEdruo1+p56GmyZPnrC4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAuXAnHvdrWmubHihHABxddce09/BMFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+krhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+s8Kc7ZgNEfnUPfsnINBVDZ0nhEpb9iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzXPzRL+Ck73h3tfPIz9HFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1BMdalvbR2YKV12jXO5i5zyLpVS1tx9CzB/ejhx5p1dOZHaqaVGmnUO0hxR25YOe+xpNJWUiTWQXKbuOPQ9UYhN2TRKRYR0z2t8BrHw5fWTIleIRj7kDNeKpNMZoVqlY3pAOTE1VhpfxbMoWdPTnaRd01PTHXdCe6xMIFnprqADVKr5xYuFH4+ZG0Vsp2kuVia1RuSWmqCXckbkfYVlQr174/z7zKLzw/+HzmkJuf8ypCmfn+e2cMHruNtMNnoPHtTNqbbCd3A9EsyYVEwuq1EjcdbjvSfbVVfwPkj7onp0Aybov8aJzDIErBWFtmfRKBZaYjP0uXNzest1HyCBW3T/9gw4TtMYHfrJyRdU0/girs/uMp6dnMPrxGTqD9cOoUWUmapYyQuczqvzwT7qThbmnOS9NGjruELJz4HbRJ7rTKXrvSbM/j/VK3r81Svi00TX7M+ytYTeJZMrlPy6QoEtpmDvAcoX1yAQoTaZuK9Q5Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotp6io2O1v1Ew9/Dg6aNlKE6Z1FV3pBMiQLJXOW/ewGApgSJVK6gMdHEpXel7YxdE1BKf3SadJMiSazuA+ivz0GlI79z9GHel5HJL3l557cBwXoVrzbJ3yRe+HVL0jO4hMnlnWw1X0No06FWB2Q71Fnai5wTftuJLugwSy9SekIV4nFbq8fvOPd1foyr5T6DcxMn2lxTZRJfUx2H7cyDC2IIbIipIbfZQT+W5COG0PstDQuaZfZ9MiDNJA/QjCVgru0XKpYoOmkCdQch0eTVeQUaMBcDbYVJNN+Oxiucac5Y4RA0j0BeFkXa33CUKg2A3d6r7YjsT5dQJpZNgrY0qdMZhBmwQ0HGUKghD8CG4TW4q68kUqZrYHbhSRRZG0T9wd8XZ4eIdQuAR/wxTlfUsztotlw7HItD7VwFu7spPhv/vd1jVaQWxdqXFWSjZFWnUIYYcBAgwAqbA1AGQlKyzEoHFG6nZTflVAZCRmO1Hb5uZh8TMPf3/75r1/9170lm8eFCNV3/cfvWcb0zfZWvIqFQHe1HOchZ9z00zGrsf5VoIZjZ46JPQz6NYBhb31RN0eeARIB3fDq0TS7K3H9ZNgxqcLzHaLDtZUQabAouKISEFoaayhfO3OcKS9wmaTUvo6wluDvR6hbREtpTJIWvr++u9vQim4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8/eK3q8sr9A7fFkzkzVjv8LHavU2ehrkzRHFkW34bg93t21ajPoVLFqOnZ7sqx2wxXcHmqYvw6y0nVzt2nGVeKl+e+y69Hou9GPLpDuXEvQLqHRf/7euGm8IckQ81ydi3G/wl1oQ+UXajH1cNVnwT1C1cce9zpKtAijrW6K/aKCmWf5tzTG4404bmf33h//a8+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7b/8/wEAAP//sMlYiA==" + return "eJzsvW2TGzeSIPx9fwUefzhJDrlly7b2Rjc7F9ru9rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsEqhu7d18mLCaZCKRSCTyPb9Dt3TzGv1RCVZS9S8IGWY4fY3+w/0B/cen97/d/AtCOdVEsdIwKV6jv/0LQqj+DZozynN99i/I/9dr+NT+7zskcEFfI0HNWqrbMyYMVXNM6Jn9e/M1hOSKqrVihr5GRlXtT8ympK8tjmup8tbfczrHFTcZLPkazTHXtPPxAN36f+9xQZGcI7OkNWKoQQytl1RR+MwoPJ8zgpZYoxmlAsmZpmpF87PB/pTG99jMQsmqPHwrfaJulwWsBead7Y2vPrZ+aIntIoVedP6+e4XxAxucyscl0/Z7iGlUaZojIxHBpak8/RVeo4JqjRf239ggIguq7aal/bwHGqG3coEuKJE5sHFgIw4W6yN17HZquHRFhcns1iID9ggnpr4nuQaaEykMFUbb+8GENliYGg0dxNGw4hgEc2z6HwyxYw4nuwTCBq2XjCwRRppqzaRAS2Y0wug9Nb8zI6jW9emfDVij2axeyornSNAVVWhGG74rsdIUvaMGW9QwmitZtJZ6+lYu9ItrTG6p0c8G4C+YosTwzXNkPN4YfaBOWDgOFy00z4KE5HRF+RGU5FL072eHkhe0VJRg4zHJ6ZwJmiMpOKBl8IxTVOAyjFWhF1m0C7PjjN/5e3518QNaYV75G89yKgybM8+d9A4Tg7hcuPNSg4OA3TEL3nMLfM8eR4mVYaTiWMHv/cGejXLGAPRRnBLijAHkcU4ZPZLVtGfy8v+dye4zsaumOZDTrq+c/ZHBRvrH8miwW+FjhF5y1BTVslIk0dt7OtlS3f/TMNMGG1pQYR4jcrjKmckIx707/EjQo8KozWNEbGl1qseIGBPHIZZWY6olx+PltJziY6RHWrLNKc1j2lAjek3Izmx9sXYLWGwGeshASTjNiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2XApiHwds5GO3bEfEzYqlFYdt6p7bZdicEdy+z2/lAl2uqDDoBoQzqkROlTVBFPWCarD1ObujOdLUWCCdH3fX0OMGS30IA9gnGyzNIQxA3+tQhp7A+P6l4xhzsK970OR+NFhKnUhfbfPlr1KbtojkfY7UVORMLOoPdYhtWj6kr4e+7BgGG/xolLBX16ufEM5zZWXl2HXvE3eweyO/VuKuXqUm76v/e8lrqZVeNvTlgnOktb1lOcJowVZUNE6yr1cRsCQ6zn+R1gLJH6Py93VENEYdGrLcZIp+SXDW7eAhHDDse7YBKl+6pdE1XKTn3pttMPq4KSkieChBZhRRZpZUoU9XwvzwCkmFfuESmx9fohnWwEV1gGzOFpUC1W/Pvo9Rd7/ifUMYNJ3xGcG/YH+9kKncbLus43rlr97BINUaqzyZUteSaK1ttyl5df25o+9hpCjH/SNFSG+0oYV/RD3aFtqSOk7Vjnj231KxBROY17/pait76JBK/9qRGHF1/flVgAQe/QElTidBg9GQyjFeny2jDhXHY1+fJcU5VZPErn+FpdDVxSlRUodvO1gKYI6LlT5qJxsnWXI/G64VrautogUXxZou55JzSoxUX6MAttR7gJwby3NMI+JIR3OLaUdRfSv7agvaQehHaPEVZPZYVNVCakh2K6RAs83g0BBS9EtFtbEANStKvvHnZL9sBT2imCyRZjlFT79HZqkq9PLnn5+hNdZIUyqaVXZQ4lEorwdQQpdSaJqOFOSr4QoiK2Ean0JVzJzQs1dZByGgp3gmV7RFDCaCmZW1eNNGUVyM3h/y1bDNA5OK5qzq62kxCPVNSHNsHAtsjpj5Z/Xy+x/+op1If1GCAK2R/udgN/+09uBbvKEKvUSXguBSV9xFVqxJeS+5HoJ+YvAjkFsZWuXHl+jf7Hafox9/RP+GiFRWX4Zd+EWfo//Bzf+yX2QadYnyTfAIhczpo7V1xZpmBHM+w+Q2rQbskBPSwLXBxtkVlohU5KVkwoBpYmg4wRmYI6NKyUT5aVt9UJeUMMwBY8BUG6msZi02TuuwH6wwZ7ljjBBSCM1lJXL7wnAKyDOx8MrR3uTF7o0YQI4RC/TXYUfYaOQUNlzi/LG8cx4dpNmfFBXUKEYCVoc3hdtfBlvYPfe1ELbPPjZbjVbO62M7Q7/KtT2aoc3JBJLKGmNGoltKyz1EexQv3ldCNCUJ1TpbsTzLU0VdL2vJs6CCKmzgkueWgi27cMWUqTC3RnvH9y4CLg5WMGt2Q6wciOF24a/61QVSVlprcKgA0bBaUNN8bS8ltEqU9PTglHCZcLspoZKEgoaC/+qi9r1+oIU0FN14fieKwkM724wJSvu/OhDzFQRe/EqZLjlLmdnwqM15zQZq/6PQzazMTcjvcOvsG+B5vea62mrxT8h/jwijEy9zxh8gRm9XtcbR9fmba6/7EiwseVhRStXXeBE8kV9dGkT1ONwfn9xTBYY4mO4hV2rXlK+2P9ka7E7PAcv8DL38+RVaA90LigXCnId9BeDUBzVp6z9Ca6qoA4sN4hRrg6TolYt0ifjgauLXTcTAXU0RtvW0+12qHAgHWU2ULIXkcrHpB+LmTA20WIR+RmSJFSbGEdFe6g3gD05zgSrhc3p4x2c+WlEbu6DbBepTBhF2xC7BoiiskilFHUZQeD0q00Cy9tRKTEBjdTEK4X0OkpBK1RC1wSLHKkdCqgJz9mcov1eqIkif3Gc5HE0iWc0GT9K9iLTFukHmBWdzCjsOGPiaEinyEQV7e9yZNin9LDs2xASRRcmpCTLAqBMVgwJvFOuJwVa9mTIPxMg3du0gO4+xcpczR9mvkMIsIx3Ttj41Vs7LNsspfyDCX4o8BdktyD+lSN1tYYdYtKvXKqZLr/3Yp/BARCW70W+QoXfGXz60okq3yinyXXlggfM9ldk2FMfa5rZMj0iV0zzdO+iTbPwzpZsVax2jzrRpvtiOrw9fKyWLM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn7Z9rIpsMCLUGkuQhzCO7W96JByuGrEzBON5Fq4yJjBRdn3DHqM7WoWxeHtMxqRJbPWjcypPkPvKm3ATGoDtbcSm5G8XGzokYe0U4DN5xbvFZ1CE4JDrhd0tFN0ThUVxDEEtqp1zlYst5oN8ENYkN3Uguxjj3jhTd6VTE22w+15uljQneVEZvjGbVZboWf1NYsUMOhu32jEQx914Ty30riRZ2eDJZt0MlnFlkDFQJE7FWJD/9hXBTTILxWtJmMly92Oi7bycY01AiTyEb4B5H6ITdSISkGHoAlk2qIwCV7fRZEC1zJLgGqZpdCey5iiqAv0ZXSoCXSl1ivyMCZkz3wMvjGD5/Jeb86xYnOfXDsmWLB9IHrdEGI7gjAZKPExFGtd8dRhpxErSlaGyIK+cDg0xgtkZcv5gEOw8CToGJAjDEJXVDGTsnRkx8bq1X0RYCuys8vlk7Z4cdA70L3STaWLhQZxp5ISNmdbwyes3bpgzlhPFa8rp89mChxA42Jk+bZgonZR5T7IEsTbm81THcLnrpXetgSlQr/d+NRYpuuEgL5fDdavT2isSlKXUrOIguMg3gJzWuSuwxSk8td3d7QLT8VNlq510T1FkagKqhi5rywK7m2CKrYdG2tXsjU3w4kld78HW1tRkUvlE2Z37kzO/niA7jV1aFfO/qAkbEdbxNLXgg/IbSXobsScpE/Zq+6b4YX0Vf9ezHgv1xI3ucVCGoTR0ne8CCfQcrnI6kSVBxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0A11h1Jpqs7wgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8RiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOI7RUsKlsyu7AcwG6Z8ckillL0wjb0CJwl63AvmImx1+GewszUzS68sO1mPLmDBGVSbCCTFdwtp/3vHSwBKShZQHBPuG7eCgS8AAYuknCMrHQyj+gzdbGVKf7BBu7IqDcbnrpyv0taIcSWjLtkm9+LXEx4jwittaob0/xgcE/yEaXuSviba+zes4gufjqtAk2s/7oaFLXrXlimdUvZkn+FlsbwALBDWWhIG/lJ7GkF7Eg7sLbulrxFG5XKjGcEc5UzfPkelgpkozxE15ElYUcYKH1N7ec+H3tXZKFxQQ5VGJdbQxUtDIwfXi4DIorBSTHaC9sPSGmrITnXPvQcPpfG1zjDBw+TEN5FFWQ3vYIJjw2jNRC7XPp+WSEFoaZ43mRSjxBhsc15xvkFfKsyd8zOXBWbCSw3RWojLkaer7fWMpS7t2LpVCd8ycUtzXwtUJ6JjDd4pb6DYT75pUDtj+a6D44OuEElFXXuyk3NL9BGo0YORVg+C12+l97yim2G7niboTFXB+oOdUrtY/ZqAreP/3Zr2j5E17Tnj6e94s+VfYLXmGiuaV4SiOnJEw+42TRXDPAu8pskekRtYslab++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoMz2tIvRZhdiPNMmdaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYTe26nqws790Qcn/Kphn6dH/WIRWcyYaPpmtx8sXzaq7vF6rZiq9NSevrY2AgiMe/ymCZAGrsS5W931ZBz3lDoLLrlrvCGf8zJfXaD3TtI89Y0bkJu254t+LW7Pwnq1c0A/hC+/5X6+ugCS+pK3RkwMvQfdiJxLA3RbOHNMZGXBmumwkbrSm5S97LtRXV+g7dSFnX5s4YzvCbnGkv68WRhdXezVZGP55/ZoshaxlyLfarRn6NzVZ/p+p9x9sFubBQRV9xs/fOPdcbPKNJWb0jSPUSU41Y4y0j0oa4lWWDE844MqQNeUgQlUcjwiCDQVOml/lM6BtlVVt/KZlVRWw6jrC5k955sXV9d9HRr5lrHOozBWl33kQMGDayG3kRaHJLoSBt2whcAgLEZYtJQqZfPaJwP5ZZn0utbdJHR1hP+0iLTuMnBZLgOM8/63j4gJwqucWnHmB9nan5+hp5d3uCg5fY2unUPEgQXpfRb2i0BkbvLYJjintk9LGDOmb63KfQRe9yjFa7kx3/un4QPTtztCrkaxxYKqdCPswiT73I4FeBxAO10qqpeS55Z7nK0+Mmm0E3qfwLMwjL17qfz0g9MxnjXNOK4uwmUkB0fniSzKbOK8KzgVn3sFY1ydf09Xs+8sOlJAfeocxs3IvCJjVppXSx8oa6yNeSMtpYLOA1au1/iNTInDKl9j9TAZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNVuKeRszehDrRXFOnpusDbYVLEU58YfhRl/MLPDLj6Td4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTXwzn7h3znDEhq1gxzlYdiV5Ev1NWksZ0Ogw8sj9FBpy6M2OHJd5wbuUe0hUhVOt5xdGlXR8RmVNtWaJu9hu2LJjI6V1kAnCmzXGa54myBRYGU0zVSMyogvhmgRXjkMET8OC5+LtYIAxE/M7+NrgzkYAP5cw1F3ogjdivjp42+ZwlVbr0RbdOwgxI5lWEbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGRlWr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTmdYx8C8p0v6xi+z9a0WvGKKo43UMhlpH9c0dPAjbQfgNXtf03ndRW489Vrw0wFjRlRcGNb22DYsOnU6xo1itXy7xAcG9MEsorIorD3KQ0bnTvoiLWSfUslVyx3/rO6i1xB9WgiVC7J8YHG+3vLfmF8qzWSdl5eWDW4KyHp6WFkfb16Wln/h5wd6Xc6env/IWc+ABO+XSVL1zj3AhKK3cnfXF+hq4FC1UYjWddaX12yG4OIhV1NNewiqiF9H3+Yz60OK/dORGQzmaeu+BpU3PWVDo8LsriMqEfL+N0SXMhggsrzlgvYlw67BNomHsIWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n39yXXPqQNRkKxxR0nV9iK41K8ZDZW31l2YdiVuTOAICXrF865DpKmuxCvMOB4GMlDjCkdQXzmnSo1MWnB36Bhff7y4mzdWCt8AygVgB1vy6QaaLc5GJCIrslmV55vo/hlWZFHrgFpwK02Pa3S+00sVH6JiMmKXg16JXaarKQoSmG5nr7qeq7jKmWkq67Z90TxGocF224oNJ0q24YXdm3RZYrEpuJrMKj//fIme+lqJzxW3uvKMcSjggDywy7tSavvNZ+i7oaNB9KMwt0KuRccQ0pRU0Mxi1YU+MmmT4AlccP200PO6yv29L016SxeYbNCnUXONs5nCD1GU7xfukJgJVGAm5goXdGc6RokVTO1N3yeho1xew7LovcxdcvS2LWAr6yyAFNqjfUGqgCVEKgup2zfuPV2jXysBpuQ7mVOOnjKxOvv2OWKSPEcz+3/U/h8WmG8002ffhuOLhpTZnOPB5PzYOlRXwz+/RrAo+LpATm7q4VdyvrNRg5FJMXV/nXk86zYImirLyEGEVkVcudvD7PO737Gi6KNLAP7228/vfn/z4fLbb13O7QorzEZ5ci3VbcyS5b0X7Pd6wXaEbdQJhkVsJcLX7MTtUtI8B5jY52KTwISZS0WFZiSmAGm5khJgXMT3ggTiA7GAZmvMhsOJT/YOQO/z2EDt9Yldoq6rWaJLYWa5Nip25TvUaydziLXf0mjvaF3zkc5Jemyxy3Yw2ECl8cUm27oXX+9iQczZqKOp3moyR+yxWw12Iwpss1/eExbKR/cTvL/jwiLv9f8Pw1W3KrOb/PcgLJa3fPQekZ1IPghz1HHcXfhJOUHSVudkW3bpU9NktNdZdtAn8xm43Qacuz8yXbesZlPEw6Doa44Zt7Sum7lce5lxddGubYNOXNYcNHQRaGEwnlVY51xnVkU8Yj/HJF5DurWvPjqXRVGJvidqgJ04rnHTqdi9p3fm7zSsUze46eM061Nxu8Ei/3cZjpptcTPYsGMkw8nYDRfuIKcrXTLCZLQs0akseMB+jZUYBh0eO+paFGUmUwnjm/fvrtFvzo+6TUoNI/Jl0lSCm/98i75UVI30bq24yBTtd+pMm9zQcohu0Ie66CyY1tVo6STiQ9oGKmOPEbBAy6McR/ugmkBw7GS4efwBDZhjVSQ4LQs2gXsBlxELkBugVR5tKm0HZtxuVx3QOTZ9rfBUuDMqyLLAKlZZSQN3U+LB+OKTo0+YDNKposDMltF5gdB53AKqBvB8Aa2WEoCVsz8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN5bgGeLcvWTuDPL6O87ERkxKst11L7rLegW8nGRpwMArziOLjFERsWCiYhFkUPQKXKjRTbP9JoZEl1+iGzO5VrjIn7uShu2MKt00BNEXYjImEgpTpgoqSpmm2gJ7wPYJblNA3yFeQpeYWVWKmlkFj8kBdBXP2XgcYwPmye7m1wusjwFsS3g+PlvRGQFvsuMieU26AK2HM1pgkehYCIR0kykQ7rkOuMznsUOi3Zgf58QePTO4C3YsXshtmHHruptw/45IexXCWH/a0LY/zMh7L+kgW1kyfGMphApDfT45pnIioqD8j3bJHgna+DlbQK9pKg4WxRlGu3bapmYL2InIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1RldlglmkRDRl1UlMVSONNT3oXQIRYqSxhlkq2GDWJAFeCXYnsJCakgRMuHplqZLoUVi9kqVZUpwncKvJoswIT+DDtoATBEkArpptTHy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wggqyiZh11YYtMN/8SfNZCrxXGbQBTQLZtYNJg7VLrE0CfbYoV6/S+KB1NmPmL0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0WYGqWzs8f3znigIPalwS46yYfr4NcC/accZrChtHZPMUhsnnM4uwu4BS6gc5YCUmKWRJRx8rVT7k25aCZfyTYWpEksDmb0xRmjAZHc0FzFq1gtAubiTRcUsi84lQTmYLaHjhbJJBNstRrbKLO/G9BD2WQRwGs6IJpo3B8T8gWdgKNT9EyFalVMlpr6ESuEslXl5nvWDwBdKMoLhIokq4UKBXa6ZTr9VIynbkJs/Ghb7DCSRg8HymEjQF55ebbx4bLtMEi+pzjXJtZpWINC6yhUjcrKAXUKjqu8fXouiY5NliY3DCPP+z62E4Du2AucJ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SkHm8jZ6e6ZSx29ZykpdKhYZKMeGmSp69hlngsZrsbOFqqNO1GngQvFtfLcWl67raTbnMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpKwrlgkucClVLEFWDGrFimuWcE0SSEWCp2EYVPMgRDUQHOl6HCjy3DXADp2xp+DGjsdT6zXsS2QJBVl0g2Ajm6JyviakVRskQXmcZ0Mdy2oiv9mlZkbyhsdbNTJ1FuwbsRrEiZLULjpZ+LEFgYebGxpUGbOkRQdXay1/TAjy1h1/gPQ9K5k0QMBJVXFQmFhBj13Y0BeJwEc/+l1ncg+fepNAY0AWMlFhnUZcWBAG7TCsaEqinkK/U5RAnRwXUcTAY9PZAs5bgvXFmSp8gQYx3dk6gS+Ye18wwnyATSNnQjgBh4nME40/RKfAUINWqNBTWBKabZIIHh1GdvLphVJcQ8UyaMr0lqRUFfcCIBNvBFbbZiVjt5Vc0VE7EKJ4LTYU4G6Jp2xt28WJj5bOaDxI3rNTM/YcDdl9G6tVT5LkodeKZ7gLaw0VVnOYle9JxlbUUeGUpDBEG1wEdsbvMqY0AbPE2gGK6ZMCjV8VYoErZuMVJWI6WYNtUULdBR9UxmJPlQCDZZuskcSDsv7jDnL0bmiOTPoHKvcdzPU0P49jI6bnJWQSmMTQgEMDNFH0N+ASI5CpTpNPgQT6Sh3WZRcbuhgsOBe+s1lFa2p94E8ZmnofEYw70zRBb1DBe43WtjGYsWi6g8DSY4kZxqGM9Sr+6OHBkpIV2UplUHDxqMIrZfYIGZQqeh8jBVOSMu9zxCKEOG91dGggJjwnd1H+kJzJlJP5G+haldr46mRkQtqllSdbb+vl7IavGgICbqiqhlHZCQqsdIUvaMGw0Rwd1dxQ4Knb+VCv7h2Za/P0IUf8fUcmWVgShE0A/5A/ehjQFug99T8zoygOnzOQ6ZOQrw5jOxubhEs7jarKVZkecYEC+IHM3cn6K/dE58wCwOSIV5wXAmY9buoYI5r3cQ93MC91699x57St+Nu9tQ04fbzi0eMfXsQWcSapsM6r8Ky6CO9M3ArxtwFU0yjHhFI28F172FCteAjEy+he27CceDQP1dTgxT9UlFtdjTtPj5b+f698p3KAGN53KpOYvc9Uk3eadedsgsnhxHExjp/hw7t+nVw5zFn/++fb2gXu7qohQKsHeYNsBriJfHek4Xt4zLDmiKXrt1ggwa3qjkl/4uHwVc0o+AbzKVy7euDZEQIa6QphXFnePe8KoWFxmSC8b6DDtNuaQFq75ZpSKVgAtoupEuqCubUjamQ3i7pBnOwFeN0QRGnK8oR1pothDu47bz+MOtDS+YHlN+w/g5Onz3IpGeLWSXYl4r2xyTi8OVr4Xtcx8TjpqDUGg3L3YUkUggKuRVozcxyTFAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDCCObIYjJg+gMXDYgdLjYxpfDjalcuNDqPXSmdby15Wa+wHHnOGdbaUyW0CZ8Q15hrMUtkONbJSsT2CJ9wPALlLY7GFN80PYiGcYnX2hmtpDfHOfbuAYDn61f/iDL0Rm+ZfA+gGbHktDML5GZFFWRmqwmI4iRvfbiydefZN/yxgxmLnQJj5Z/Xy+x/+Ym3fi9Zx1BT7Joi259MsbsTsUMcN3lCF/rXxyekXHg1ALnzrY9f/pOd5scW5w/U7z+PI5OV9su1Jf2CKXecMvf/t46XdO1XUOU/AX5ozTRQtsSAbq1V69Yz3c0EQUOg5+vjuNboS5seXz9HV+4vL/3qNPl0J8+on9HS93CBBmVlShchSaj8qTSpFiYFv/fDqf/9/z54EKULNMqGM69MDZOpZgcPjeHRi7rvnNb9xvHhVIxW+4vnjQrotm/ZgfmTDuIMf+BC+PcV0a518ZspUmKO3b94Hkf1TCprOl3UcZ/wfKehZmLYW3a9GhMJG9gtPOILH+AbvOIcFNnSNH2BEOnD3NXqT5wr8tI7LQ+g0Ty8pymPjnKfGQq7O3127V2k0PFZgPWH0o+NUcpqqf7vR1bVFZcT7ZWl45CSIKDS0a4/TsNbEMjdda1oB0UIX5zmzX8Z8G7BtzfIPv3MTMoA1CeGCS3/DL7osMEBlm2udRK879EnD6L3H8Foq04jkgdDNIcAGB8DMZr/k1RPT3u2HiUX9mNTbejdGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFgt61phORIo5W1SK5mi2AZhU5JA1FJYz5ZGtBwZFoyPacnDReYJ+Bzyi7t8u4YruAFC0kIZmPrM7fp5RfNLmQmc4c6n4CUCXRqUBPk/AEvME1cI8xXVI1f+kTEBUnGe1Jy6dWt634O0+zvqrtZ0JD6DBXpolVYIa9HFT0ufoU/2MvQUH2I/ounaADV6C38Y0tXpUzwTKxIhpXCPt/eLPEeY8qEyU2y9CghtWkJi3osq+gUwYibSBx5wJ9OlqVKAQSJBNJq+ii2wLVJYJxr5ZwIrq2Bm9FmyCEhf3IsZORQd/ewJs3WiFjFOxiD4pEnC2ykdCLXREA3UqD+atAIxABNIJ5gijX6RaY5UP53Qj9GYByV4KYXvj7yCXbkbNmlIRVj0jd028b4xbGszboTqHDIKW8ZAZMdghEz7PFdISCmasWPIjNsJbXHEspojjH+CgrBNEWi7KwQa7LsttJGVlLdgFGLDdlyd2pJIS6EKwitcP7rCIPVaGkYpjhaBfNKqReHp59/qtXMj5PDz9nZLMLGny4+0g+9Eu6G5jC+9Li7dF901lllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxit54xM4GZDjE2Suajbk7OZow3uz/QdIVRklw47MW4lIhtMcAIWLWu59ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrkLgWecSgim6Pz3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekR/OtFHjwc96T8e03XqwPb3cvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eCJx6AOZK1jenc/GGv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t293Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gGiJLjjSUYODf+10QOHXkpKJvU67YjqfJDc+2stIjv4MpEn5L/Ofv7+e/T07cWb62fogmnDxKJieklzKIUP4sLlQibvC7QrEgbZsnOHhz9m+OJIxpiSib2Ku+o/7amGMGhuDHjkow19vs91IZD239T9thx/gFMoZopFqE36NlMM81jd6Xob+YBzVmm3ApIKaVYwjpUTT1Zs2jtE4F0Pl1fBPdcsn7LTSDtT/pNlhNqL2OuLub3k6eos3ohddx3CGr7SsOX/9U4i+GTAC95xQ1tlGXnYlSlVysSAQcgGSC3VAgv2546sapGOFQ4l9hGUbvPUCLnnTAVrSRN1/fnFLgevhWvx5XoXdbKaf6WYmyXBiqJS0VwWTOBgwV1LPF1jw6gwem96PMdT7vYtftDNutaPtEzEuPbqPLGCq8TKQDOk7VZ3i9UJmx15YXOIRJ3TnCpsaJ5FSyrbwR9W+PxSr9gEz66VXLG8aR7mv4fLkntNdcAYvvmPfda6Om1YwdlukuUT7bJZ0vf6M5uRbQaHh0Lm5Iq56Pmyr7iPtIBrlM6YQ8Hvq3nSO9CZWj9qVUIvAht1OiporFgjbaRyEt9CK6jBsNoT+NaZ/daT8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efo5Jje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU502fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/b14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJ81CdoM+THV4Quz2H7zbnBj2FjrBUkO0zBKHLZy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Stj3cBHe5mGoddEzDons02IdMdw+CEwg0p9hc/Q9lAzJGAoxVusOWczpnwvnoQTtDVr8DlSNNBwO6oQrFEuG0dMD31L7ZgbHy2qffueymN9KZsfNjGYLIsJm6Bv10VCI4G1lH7OJIMeZkxEW+CWNS7YbcMRYVpH8+AkGqX7cCxuDba2/L+wNTOAdZp3749WJdY1Txl//x8u5X1kg1aqSN7O6wt65LfD9qeiT6zxLW1kGqT7sD/qkss/ra3Y0yNSLeLeq2eh54mS5a/vgDoe/b2YCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew/PZVFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0AXXPzjkYRGVNZxmR8pY9UND9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75M/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKgnOtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tUL/9/nHoUX/j98XlPI7Y85VeHsPL+dB4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Sxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+npOYx+fIbOYf0walSZiZqljND5nCo//JN2sjB3NOelSUPHLUK2Dtwu+kS3OkXvPGn257Feyfu3RgmfNrphf4a9New2kUy5+sclEnQhDXMHWC6xHpkApcnUbYVaR+kWHx8uaI862QSoQYJLj8fqxul1/U04IUWzxRQVFd3+Rs3Uw4+jg5atNGFaV9GVToAMyVLpvHWnxVAAQ6pUUh/o4FDa0vPSLo5uIDi9SzpNkiHRdAb3UeSnN5DaufsxaknP45C8v/TcgeO4CNWaZ6uUL3o/pOod2UFk8syyHq6it2nUqQCzW+ot6kTNDb7ZjitpP0ggW39CGuJ1UqGrmzf/eHeNru07hX4TI9NXttgmqqQ+BtuPaxnGFsQQWVJyq49yIh8mhNP2IAsNnWv6dTYtwiAN1I8g3ErBHVouVWzQFPIBlFyHR9MVZNRoAJwNNtVkEz7bWK4wZ7ljxAASfUE4WVfrXYIQKHZLN7ovtiNxfp1AGhn20phSZwxm0CYBDUeZgiAEP4LbxBairnyRipnNnhtFZFEk7RN3IN4OD+8QCpfgr5mivG9pxnaxrDkWmdYPNfDWruxk+O9+t3WNVhBbV2qclZJNkVYdQthhgAADQCpsDQBZyRILMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fvnnv370XveWbB8VI1ff9R+/ZxvRttpK8SkWAN/UcZ+Hn3DSTsetxvpVgRqOnDgn9DLp1QGFvPVG3Bx4B0sHd8CqRNHvrcf0kmPHpAmfdooMVVZApMK84IlIQWhprKN+4Mxxpr7Bep5S+jvDWYK9HaFtES6kMkpa+v/77m1AKbpDssflOqsX0CZb9AoOOi3WGXbOTYKOYv1/+dn11jd7hu4KJvBnrHT5Wu7fJ0zA7QxRHtuW3Mdjdrm016lO4ZDF6erarcszm0xVsPnQRfr3l5GpHx1nmpfLVhe/S67HYiSGf7lAeuFdAvePiv33dcFOYI/KhJhn7doO/xJrQD5Td6MdVgxXfBHULV9z7HOkqkKKONfqrNkqKxd9mHJNbzrSh+V9f+L89bz5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPGsmaZ21rv847iP4Z3TOa64yeBOvEZzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEGJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnr6Vi70i2uXVPtsAP7Cp4Nt1QqMPlAnLByHixaaI51k6CqJC+e0aHOhF2mVZ3/G7/w9v7r4wQdcXNu3rXUNPQHuMDGIy4U7r2FfG9gdTLL23ALf0925Q/b3/mDPRjljAPooTglxxgDyOKeMHslq2jN5+f/OZPeZ2FXTHMhp11fO/siCva4eDXarVKHS01BTNGVW7OlkS3X/T8MMbL90BfenIYernJkM+lE/RvS6htMjQmwZcaJuVMSYOA6xtBpTLTkeL6fl9KhhsWnJNqc0T10EMh62aLdNdI0kaT7QQwZKwmlWRE8PGUDfY0WMU3H6OvP+YNwg+Ry5BtuMRD4UoOC9yUemUKt9dKBRo1Wzf/+nTdeoPZeC2McBG/nYLdsRcQNN6hKKwzZ1z+0yLvmldZ/fyoUf6+qrGKCXnDVBFPWCarD1ObujOdIUJu12ftxdQ48bLPUhDGCfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70SBii4UdfPlrnVfqOZL3OVJT0XQe5nKhQ2zT8iF9PfRlxzDY4EejhL26Xv207Qc4ct37xB3s3sivlbirV6nJ++r/XvImrn3yNO7LBedIa3vLcoTRgq2oaJxkX68iYEl0nP8irQWSP0bl7+uIaIw6NGS5yRT9kuCs28FDOGDYt2/md+l7il3DRXruvdkGuwprgocSZEbr5NFPV8L88ApJhX7hEpsfX3bTvIgUc7ao1Hh+y3bfx6i7X/G+IQz6WMsmwTKeoGfGWHZMXU30tTsYpFpjlSdT6nZPqncKyeeOvoeRohwPU9Nca1X/iHq0fTNM4FS97fIhFVswgXn9m662socOqfSvHYkRV9efXwVIgILdZFEEEjQYDakc4/XZMupQcTz29VlSnCcsr++YdrAUuro4JUrq8G0HSwHMcbHSR+1k4yRL7mfDTQ7uVtGCi2JNl3PJOfRN/RoFsKXeA+TcWJ5jGhFHuno8XEtRfSuH4yzGCf0ILb6CzB6LqlpIberCvdlmcGjNJC4LULOi5Bt/TvbLkMxMMVkizXKKnn6PzFJV6OXPPz9Da+xHCdWr7KDEo1BeD6CEn6uTjBTkq+EKN1Sl9ik0fVftVdZBCOgpnskVbRGDhUt0avGmjaK4GL0/5KthmwcmFc3ZUU0T9hHqm5Dm2DgW2BwxU/f9AZH+wrUJrZEejrP6J4J6kQ1V6CW6FASXuuK4aVZ2L7kegn5i8COQWxla5ceX6N/sdp+jH39E/4aIVFZfdj0H6mFq/4Ob/2W/yDTqEiXc/kLInD5aW1esaUYw5zNMbtOXPuVUSFOPRgO7whKxrnkB02RsKh0wR/JmRsAy0HAbc8DYzbE3UlnNWmyc1mE/aDWjCCGF0FxWIrcvDIeBDBo6AhyWvNi9EQPIMWKB/jrsCBuNnMKGS5w/lnfOo4M0+xOGUSpGAlaHN4XbXwZb2D33tRC2zz42W41WzutjO0O/yrU9mqHNyQSSyhpjRqJbSss9RHsUL95XQjQ3mCJbpRx4fllLHhhL5eZTC5jE37ILV0zByNSri67vXQRcHO2Z7kAMtwt/1a8ukLLSWoNDZThbZHT6f0OJZPXMD06J7jySkXy5JKGgoeDfNr/6AN3wmxnNRFHsBwGNCEr7vzoQ8xUEXvxKmS45S9295NGa85qlKoQ9MUX6uKZRh/I73Dr7BtQTgTzX1VaLf0L+e0QYnXgZjAuaJEYPI4CkQtfnb6697kuwsORhRSlVX+NF8ER+dWkQ1eNwf3xyTxUY4qFRt2hoylfbn2wNdqfngGV+hl7+/Aqtge4FxQJhzsO+grr6eY62/iO0poo6sNggTrE2SIpeuUiXiA+uJn7dRAzc1RRhW0+736XKgXCQ1UTJUkguF5t+IG7O1ECLRehnRJZYYWIcESm0L7JYuAnuqBI+p4d3fOajFbWxC7pdoD5lEGHXtAVrURRWyZSiDiMovB6VaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcjibRYbPwdhBpi3WDzAvO5hR2HDDwNSVS5CMK9va4M20maGgf2hATRBYlpybIAKNOVAwK/HijaW2wMg/EyDd27SA7j7FylzNH2a+QInon5HyQIHFy0wORPxDhL0WeguwW5J9SPFD3nHr1WsV06bUf+xQeiKhkN/oNgmHcfgS5b4dbY5fvygMLnO+pzLbpjwI/HaSiRKqc5uneQZ9k458p3axY6xh1pk3zxXZ8ffhaKVmcAdQKivI1oQIrJp1aX1TcsO8MowrhsuR19cu2l02BBV6ESnMR4hDeqe1Fh5TDVSNmnmgk18JFxgwuyr5n0GNcT00a3j6jEVkya93InOoz9K7SBsykNlDXPWskLxcbeuQh7RRg87nFe0Wn0ITgkOsFHe3c0DRBHENgq1rnbMVyq9kAP4QF2U0tyD72iBfe5F3J1GQ73J6niwXdWU5khm/cZrUVelZfs0gBg+72jUY89D3dvmt5djZYcttdrYotgYroozgb+se+KqBBfqloNRkrWe52XLSVj2sMY0+rdgOuNpolIBdr1END1IhKQYegCWTaojAJXt9FkQLXMkuAapml0J7LmKKoCzTWqI8t1AS6UusVeRgTsmc+Bt+YwXN5rzfnWLG5T64dEyzYPhC9bgixHUGYDJT4GIq1rvgDNc2XlSGyoC8cDo3x4ge4DDgEC0+CjgE5wiB0RRUzqVuDjnWf9qv7IsCx0aQ9l8/Eg9vcK91UulhoEHdyo+63hk9Yu3XBnLGeKl5XTp/NFDiAxsXI8sFk2GYSbBDv0BSZhIfwuWulty1BqdBvNz41luk6IaDvV4P16xMaq5LUpdQsouA4iLfAnBb5trtwc3dHu/BU3GTpWhfdUxSJqqCKkfvKouDeJpr8fEAlW3MznFhy93uwtRUVOcxJ3iu35OyPB+heU4d25XA6bRux9LXgA3LDPOCdiDlJn7JX3Tejk2C9mPFeriVucouFNAg3k9TCCbRcLrI6UeVBhHrNiPcW6lP0TOnIvr9DuhV0rR62/W4Uf8kZ2UwxbWdELlwDAr65tuCbEblc8ZR502ECfqh88/+wOJXC0LvUGmuD0NV2VEBdXZXn2v4fPKqY1wiFGsDseZzJEosFzQRdp5YFY4FLum6F+kEJMUaxWWVoS0IMc/S1Q91q6+3nb2QocYmjCbuGcnwwoWOSmwOGYD+/yCHT1t8Cxi1UgFmC1Q0H9TbnS62oOkM31B1Kpak6wwsKrbx9pvtcqhqHAewajNPbCfweud+3+lZIhWZKru1n9V9JPcfRml2j/aSv8musTGw3XQM4tkfF3yk5qA6d6k5Jnm9nkCa6UrKkPqCY6i1+IxDmVJkmu0htF/V/c+EtLz5aTQAgCSmgMOdISPGdoiUFS2ZX9sMUc1G6ffRD01CcHveCuQhbHf4Z7MwP1djKenQBC86g2kQgKb5bSPvfO14CUFKygOKYcN+4FQx8AQhYJOUcwYR5RvUZutnKlP5gg3ZlVRqMz105X6WtEeNKRl2yTe7FbzPNhPBKm5oh/T8GxwQ/YdqepK+J9v4Nq/jCp+Mq0OTaj7thYYvetWVKp5Q92Wd4WSwvAAuEtZaEgb/UnkbQnoQDe8tu6evWIEMYXPgclQpmojxH1JAnYUUZKxxrYPWeIBYsRQ1VGpVYQxcvDY0c/DRpWRRWislO0H5YWkMN2anuuffgoTS+1hkmeJic+CayKKvhHUxwbBitmcjl2ufT+mmTz5tMilFiDLY5rzjfoC8V5s75mcsCMz+IF/ZdL8TlyNPV9nomGmA/GA3HxC3NfS1QnYiONXinvIFiP/mmQe2M5bsOjg+6QiQVde3JTs4t0UegRu+3m4fC67fSe17RzbBdTxN0pqpg/cFOqV2sfs3WmLzdmvaPkTXtOePp73iz5V9gteYaK5pXhKI6ckTD7jY3Uz8LvKbJHpGbzhj//vvYegDtCzPqF6DkVh/VciCGx9ivbh+6JdbL5oZatTBQZViRpcv8rWtsmjLD8xpSr0WY3UizzJlWxP6q+few0hRZeS4Qg5y7ShBOsbJ/gkZ4W9R8AWE9+bUu7NwffXDCrxr2eXrULxaRxawZ3zvvPFi+bFTd4/VaMVXpqT19bW0EEBj3+E0TIA1ciXO3uuvJOO4pdRbcdINrnZf56sKP4EZPfeOGejalK/q1uD0L69XOAf1QA/69+/nqoj3ftRETQ+9BNyLn0gDdFs4cE1lZsGY6bKSu9CZlL/tuVNcXaDt1YacfWzjje+Jxx+fNwujqYq8mG8s/t0eTtYi9FPlWoz1D564+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+spLIaRl1fyOw537y4uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9c+Gcgvy6TXte4moasj/KdFpHWXgctyGWCc9799REwQXuXUijM/yNb+/Aw9vbzDRcnpa3TtHCIOLEjvs7BfBCJzk8c2wTm1fVrCmDF9a1XuI/C6Ryley4353j8NH5i+3RFyNYotFlSlG2EXJtnndizA4wDa6VJRvZQ8t9zjbPWRSaOd0PsEnoVh7N1L5acfnI7xrGnGcXURLiM5ODpPZFFmE+ddwan43CsY4+r8e7qafWfRkQLqU+cwbkbmFRmz0rxa+kBZY23MG2kpFXQesHK9xm9kShxW+Rqrh8nQG3bVt9IV+4fIbmKkNfJTK0QxeodJ3U85rNxaETSpHSPFd7WCqnZLIWdrRh9qrSjW0XODtcGmiqU4N/4ozPiDmR128Zm8Qyx/Mf5+2Ze1mgJDi9GnQeNjdxcsFuGrW79jiafvDZj8Yjh375jnjAlZxYpxtupI9CL6nbKSNKbTYeCR/Sky4NSdGTss8YZzK/eQrgihWs8rji7t+ojInGrLEnWz37BlwURO7yITgDNtjtM8T5QtsDCYYqpGYkYVxDcLrBiHDJ6AB8/F38UCYSDid/a3wZ2JBHwoZ6650ANpxH519LTJ5yyp0qUvunUSZkAyryJsE+LrDk/PRooMnZtr+B6nTihxyleT5OV9Ve7b9kPMhEY5NZjxgJNhJivT+t3I1iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cNyukc+xCQ73xZx/B9tqbVildUcbyBQi4j/eOKngZupP0ArG7/azqvq8Cdr14bZipozIiCG9vaBsOGTade16hRrJZ/h+DYmCaQVUQWhb1Padjo3EFHrJXsWyq5Yrnzn9Vd5AqqRxOhckmODzTe31v2C+NbrZG08/LCqsFdCUlPDyPr69XTyvo/5OxIv9PR2/sPOfMBmPDtKlm6xrkXkFDsTv7m+gpdDRSqNhrJutb66pLdGEQs7GqqYRdRDen7+MN8bnVYuXciIpvJPHXF16Dirq90eFyQxWVEPVrG75bgQgYTVJ63XMC+dNgl0DbxELZgeRPKGXHiFbGtxkEZeISXP56S1+y7rFI+U/V07+tPrntOHYiCZI07Sqq2F8Glfs1oqLy17sK0K3FjAkdI0Cuedx0iTXUlXmHG8TCQgRpXOIL6yjlVamTSgrtDx/j648XdvLFS+AZQLgA72JJPN9BscTYiEVmRzao830T3z7Aii1oH1IJbaXpco/OdXqr4EBWTEbsc9ErsMl1NUZDAdDt71fVcxVXOTFNZt+2L5jEKDbbbVmw4UbINL+zepMsSi03B1WRW+fnnS/TU10p8rrjVlWeMQwEH5IFd3pVS228+Q98NHQ2iH4W5FXItOoaQpqSCZharLvSRSZsET+CC66eFntdV7u99adJbusBkgz6NmmuczRR+iKJ8v3CHxEygAjMxV7igO9MxSqxgam/6Pgkd5fIalkXvZe6So7dtAVtZZwGk0B7tC1IFLCFSWUjdvnHv6Rr9WgkwJd/JnHL0lInV2bfPEZPkOZrZ/6P2/7DAfKOZPvs2HF80pMzmHA8m58fWoboa/vk1gkXB1wVyclMPv5LznY0ajEyKqfvrzONZt0HQVFlGDiK0KuLK3R5mn9/9jhVFH10C8Lfffn73+5sPl99+63JuV1hhNsqTa6luY5Ys771gv9cLtiNso04wLGIrEb5mJ26XkuY5wMQ+F5sEJsxcKio0IzEFSMuVlADjIr4XJBAfiAU0W2M2HE58sncAep/HBmqvT+wSdV3NEl0KM8u1UbEr36FeO5lDrP2WRntH65qPdE7SY4tdtoPBBiqNLzbZ1r34ehcLYs5GHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrrpVmd3kvwdhsbzlo/eI7ETyQZijjuPuwk/KCZK2Oifbskufmiajvc6ygz6Zz8DtNuDc/ZHpumU1myIeBkVfc8y4pXXdzOXay4yri3ZtG3TisuagoYtAC4PxrMI65zqzKuIR+zkm8RrSrX310bksikr0PVED7MRxjZtOxe49vTN/p2GdusFNH6dZn4rbDRb5v8tw1GyLm8GGHSMZTsZuuHAHOV3pkhEmo2WJTmXBA/ZrrMQw6PDYUdeiKDOZShjfvH93jX5zftRtUmoYkS+TphLc/Odb9KWiaqR3a8VFpmi/U2fa5IaWQ3SDPtRFZ8G0rkZLJxEf0jZQGXuMgAVaHuU42gfVBIJjJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaTsw43a76oDOselrhafCnVFBlgVWscpKGribEg/GF58cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9KCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1StLlUSPwuqVLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epXGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP62S4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8WeCtQ16Yy9fbMw8dnKAY0f0WtmesaGuymjd2ut8lmSPPRK8QRvYaWpynIWu+o9ydiKOjKUggyGaIOL2N7gVcaENnieQDNYMWVSqOGrUiRo3WSkqkRMN2uoLVqgo+ibykj0oRJosHSTPZJwWN5nzFmOzhXNmUHnWOW+m6GG9u9hdNzkrIRUGpsQCmBgiD6C/gZEchQq1WnyIZhIR7nLouRyQweDBffSby6raE29D+QxS0PnM4J5Z4ou6B0qcL/RwjYWKxZVfxhIciQ50zCcoV7dHz00UEK6KkupDBo2HkVovcQGMYNKRedjrHBCWu59hlCECO+tjgYFxITv7D7SF5ozkXoifwtVu1obT42MXFCzpOps+329lNXgRUNI0BVVzTgiI1GJlaboHTUYJoK7u4obEjx9Kxf6xbUre32GLvyIr+fILANTiqAZ8AfqRx8D2gK9p+Z3ZgTV4XMeMnUS4s1hZHdzi2Bxt1lNsSLLMyZYED+YuTtBf+2e+IRZGJAM8YLjSsCs30UFc1zrJu7hBu69fu079pS+HXezp6YJt59fPGLs24PIItY0HdZ5FZZFH+mdgVsx5i6YYhr1iEDaDq57DxOqBR+ZeAndcxOOA4f+uZoapOiXimqzo2n38dnK9++V71QGGMvjVnUSu++RavJOu+6UXTg5jCA21vk7dGjXr4M7jzn7f/98Q7vY1UUtFGDtMG+A1RAvifeeLGwflxnWFLl07QYbNLhVzSn5XzwMvqIZBd9gLpVrXx8kI0JYI00pjDvDu+dVKSw0JhOM9x10mHZLC1B7t0xDKgUT0HYhXVJVMKduTIX0dkk3mIOtGKcLijhdUY6w1mwh3MFt5/WHWR9aMj+g/Ib1d3D67EEmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLB4WO1hqZEzjw9GuXG50GL1WOtta9rJaYz/wmDOss6VMbhM4I64x12CWynaokZWK7RE84X4AyF0aiy28aX4QC+EUq7M3XEtriHfu2wUEy9Gv/hdn6I3YNP8aQDdgy2thEM7PiCzKylAVFsNJ3Ph2Y+nMs2/6ZwEzFjsHwsw/q5ff//AXa/tetI6jptg3QbQ9n2ZxI2aHOm7whir0r41PTr/waABy4Vsfu/4nPc+LLc4drt95HkcmL++TbU/6A1PsOmfo/W8fL+3eqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Rx3ev0ZUwP758jq7eX1z+12v06UqYVz+hp+vlBgnKzJIqRJZS+1FpUilKDHzrh1f/+/979iRIEWqWCWVcnx4gU88KHB7HoxNz3z2v+Y3jxasaqfAVzx8X0m3ZtAfzIxvGHfzAh/DtKaZb6+QzU6bCHL198z6I7J9S0HS+rOM44/9IQc/CtLXofjUiFDayX3jCETzGN3jHOSywoWv8ACPSgbuv0Zs8V+CndVweQqd5eklRHhvnPDUWcnX+7tq9SqPhsQLrCaMfHaeS01T9242uri0qI94vS8MjJ0FEoaFde5yGtSaWuela0wqIFro4z5n9MubbgG1rln/4nZuQAaxJCBdc+ht+0WWBASrbXOsket2hTxpG7z2G11KZRiQPhG4OATY4AGY2+yWvnpj2bj9MLOrHpN7WuzHCCxqyG6fy4nrswPLFWkvCrMrp/EYDHQdZuaywWNCzxnQiUszZolI0R7MNwKQih6yhsJwpj2w9MCgaHdGWg4vOE/Q74BF1/3YJV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3weQKWmCeoFuYprkOq/idlAqLiPKs9cenU8r4Fb/dx1l+t7Ux4AA320iypEtSgj5uSPkef6mfsLTjAfkTXtQNs8BL8Nqap1aN6JlAmRkzjGmnvF3+OMOdBZaLcfhES3LCCxLwVVfYNZMJIpA085kygT1ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpF9EmRgLNVPhJqoSMaqFN5MG8FYAQikE4wRxj9ItUaq3w4pxuhNwtI9lII2xt/B7l0M2rWlIqw6hm5a+J9Y9zSYN4O1TlkELSMh8yIwQ6Z8HmukJZQMGPFkh+xEd7iimMxRRz/AAdlnSDSclEONth1WW4jKStrwS7AgO2+PLEjlZRAF4JVvH5wh0XssTKMVBwrBP2iUY3E08u712/lQs7n4envlGRmSZMfbwfZj3ZBdxtbeF9avC26byqzpML4ZPFRtHUVs3PCYQk9bslx1D9pqkYRlpUhclpK+yXHEb6pCKFaj+AMncePa452XOIJ4IWsiruQaoMChQkD3KYQTh0caQ9HK5UgwKdLKey7YuVWSDlsfogGilJ3V6t4/ehG3k2MXNdSqBngjObNfrwfpqcPM4E0M1VAfiIoLqBeRHuoS6wRzmVpXxezpEwhuRbbI3OEM/hOClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjdjYgwyHOXtFszN3J0YTxZv8Pkq4wSoIbn7UQlwqhPQYIEbPe/QRCuHy9G1+vEZsS4wmhM5myeiCw+Rld4hWTFWiXRBalkgUbyVCkUyN3KfCMQxHZHJ3vxo2JVSN2EiLZx7CjdaIgAh0Mow6XOQLBwPoNfqlPt/XKbu/bKNttyywrYfrlbLE1+hzKwDNyjFl/kBYE7/GCCqoYqbcEBIFEv35qATNLeGpDs92QR/aM/HCmjRoPftZ7Oqbt1oPt6eXuPXn1wq2VcF9B07Qxwg0rqLZy3Wl7ipZ0NIjkTyFaU4i9BwGNB088BnUgax3Tu/vBWOvHw/b0Q6ajDTk9eGveYbxvh4O9wY63AuEAYfD17u7l3t2pSc/OXbQoe1P7Ty5aL9VpBMgeOd4IkK+XHX/cf2SxRhtMc2SHyUc1qQSJeccOkB+TsmPMvQ2YsVHqoQSt56eOXrlTmWVWULOUDxAlwR1PMnJo+K+NHjj0UlIyqddpR1Tng+TeX2sR2cGXiTwh/3X28/ffo6dvL95cP0MXTBsmFhXTS5pDKXwQFy4XMnlfoF2RMMiWnTs8/DHDF0cyxpRM7FXcVf9pTzWEQXNjwCMfbejzfa4LgbT/pu635fgDnEIxUyxCbdK3mWKYx+pO19vIB5yzSrsVkFRIs4JxrJx4smLT3iEC73q4vAruuWb5lJ1G2pnynywj1F7EXl/M7SVPV2fxRuy66xDW8JWGLf+vdxLBJwNe8I4b2irLyMOuTKlSJgYMQjZAaqkWWLA/d2RVi3SscCixj6B0m6dGyD1nKlhLmqjrzy92OXgtXIsv17uok9X8K8XcLAlWFJWK5rJgAgcL7lri6RobRoXRe9PjOZ5yt2/xg27WtX6kZSLGtVfniRVcJVYGmiFtt7pbrE7Y7MgLm0Mk6pzmVGFD8yxaUtkO/rDC55d6xSZ4dq3kiuVN8zD/PVyW3GuqA8bwzX/ss9bVacMKznaTLJ9ol82Svtef2YxsMzg8FDInV8xFz5d9xX2kBVyjdMYcCn5fzZPegc7U+lGrEnoR2KjTUUFjxRppI5WT+BZaQQ2G1Z7At87st56Ed1+wPOd0Oin3DtY7VM4Fjrcl946Sc/V4jGm2e+1Xa3UYEps6OvsclRzbI7Pvs1SICqI25ZiXH1IhJ7AnD8igU41t+avUBr3DZMnEiEmX40SS45s+rT8JyPQvFbXiw+pHrsmZPkNvc1yiz/APpx/lUri6038OH0+0xCtqNSdOsUJfKqo2CHoQ6lIKTWuNKlycavebwW+mkZe+Bx6xkBWru0AKt33Xl28cz3pLE6C6ZaAPvjnqoZjClKe0DrM+j9etpTtNjKxt6B9eppGqhAjasfp58/K4yLNrIzVSY+chZt7CTH8QGK2ZyOVaI11SwuaM2E+eh+oEfZ7s8ILY7Tl8tzk36Cl0hKWCbJ8hCF0+a1ELVQLe8bd0gckGfdLdxrdNBLboF9JGz661K0xgsI+89m1TC1CBWjVgMvsiDije9AEIVP93Kk2hnGdIvu620yvUY915nXod2DHsMMho/jdHbHaavN6xrfoMX+96r2XdJWx9vAvocDfTOOyagEH3bLYJme4YBicUbkixv/gZygZijgQcrXCDLed0zoT31YNwgq5+BS5Hmg4CdkcViiXCbeuA6al/sQVj47NNvXffS2mkN2XjwzYGk2UxcQv87apAcDSwjtrHkWTIy4yJeBPEot4Nu2UoKkz7eAaEVLtsB47FtdHelvcHpnYOsE779u3BusSq5in75+fbrayXbNBKHdnbYW1Zl/x+0PZM9Jklrq2FVJt0B/5XXWLxt70dY2pEul3Ua/U89DRZsvz1BUDfs7cHU4kGu6r7re/e1SgXZFQYJctjREcuq9nAuXAQj/s1rbVN95QjAI6uumPae3guixKLTXMf4drBOH1nr6yoss9QxsRchpUCrG9T1wjtkR89K7LGbE3TdkWff0mVI/BLxfkG/WeFOZszmqMLqHt2zsEgKms6y4iUt+yBgu6/0xly62/tZ8zHtPno3Wa34fCyMqByHznCdP9d/9As4afseHe088mfoY+b0m196zmwxHEnOH54is6zqM1ke2hbHJwjQj3Roba1fWSmcNU1ymUXO+dZLKWqvf0QYv7wduTIW71yIrNTTYsy7RyiHaSwK+/13NdoKikTaSJdpOw69jxQiU3YNUlEhnXMaH8LsPLl9JEhV4pHPOYW1Iin0hijWaVieUNaMDVVGV7Esym3oKM/T13QUdMfu6A91ycQLPTOUAGqVXzjxMKPxs2NordUtJcqE1ujcktMUUvYkbkfYVlQr174/z73KLzw/+HzmkJuf8ypCmfn+e08YPTcbaYdPAePa2vU2mA7uR+IZk0qJuZUqZG463Dfk+yrrfjvJX3QPTsBknVf4nnrGAJXCsLaMumVCiwxGftduri9ZbuPkEGs2n/6Bx0maI0P/GTlkqpp/BFWZ/cZT0/PYfTjM3QO64dRo8pM1CxlhM7nVPnhn7SThbmjOS9NGjpuEbJ14HbRJ7rVKXrnSbM/j/VK3r81Svi00Q37M+ytYbeJZMrVPy6RoAtpmDvAcon1yAQoTaZuK9Q6Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotpqio6PY3aqYefhwdtGylCdO6iq50AmRIlkrnrTsthgIYUqWS+kAHh9KWnpd2cXQDweld0mmSDImmM7iPIj+9gdTO3Y9RS3oeh+T9pecOHMdFqNY8W6V80fshVe/IDiKTZ5b1cBW9TaNOBZjdUm9RJ2pu8M12XEn7QQLZ+hPSEK+TCl3dvPnHu2t0bd8p9JsYmb6yxTZRJfUx2H5cyzC2IIbIkpJbfZQT+TAhnLYHWWjoXNOvs2kRBmmgfgThVgru0HKpYoOmkA+g5Do8mq4go0YD4GywqSab8NnGcoU5yx0jBpDoC8LJulrvEoRAsVu60X2xHYnz6wTSyLCXxpQ6YzCDNgloOMoUBCH4EdwmthB15YtUzGz23CgiiyJpn7gD8XZ4eIdQuAR/zRTlfUsztotlzbHItH6ogbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKlliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+zleRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XOOsWHayogkyBecURkYLQ0lhD+cad4Uh7hfU6pfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLaZPsOwXGHRcrDPsmp0EG8X8/fK366tr9A7fFUzkzVjv8LHavU2ehtkZojiyLb+Nwe52batRn8Ili9HTs12VYzafrmDzoYvw6y0nVzs6zjIvla8ufJdej8VODPl0h/LAvQLqHRf/7euGm8IckQ81ydi3G/wl1oR+oOxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/jbjmNxypg3N//rC/+158ykTc0rCH82ZomvMg4oMnvHWbxAWOdISjbClogumjdpYy35KYVFis/TN+hscUB+HAZLglJoKTVcI7eq1iFStLuSNPtlgToVp5aTUeP9RCVZSdabV3b/0UeqzuTXPsKav0YyatuGf0zmuuMngErxGc8w7tcfju+/srpvM/07mFadw/0ustDXwPapa3SG90Vwu2i/2rguoKNYDi/9gqv9twMA9eGFXgxTCDQ7NDO5bciesvYWL2nCDONRVyAFxfgIGdWVwB2pwfYFNlooOAuZk3IMWimQWH1VxGgqcnkIQRQAdCxp1QO/HJPLRtDHZfz45BFOT0CTX5j406WASlyYdTPbTpJn7PFBMT8BhO7k537O65IxsIlPAAT1g7z6nLmN59mM/0nWSwHAtl1iOWmD3YJBi+d1ry8rMZCXyLJyh7TAIt+3ZdwAOoEteJLxjcexGBWa1xUPEjX47GA0mpiBIr+PTTkzS0eMQLCjHpaZ5ZtjI9cyHOv4eDDxI1AEZXHy8/9cJdyMENPyUU2sAZEmQcLAPx2UkCncCBgOIYTVS8hHmO06L7IALM1ywc9RJqw5B7uO2sXz2OGw3HHyzFx9dzRLjpKvZEXiRJVaYGKqYNoxE5JQOuUYWGXlOSaUoVIKUSt5t6iFZsRVgWAat6QzBMs2Tu1/xg0zLFK++BXzw0++wAD9yhgPJvc0j0690OQgJ55/uw92LSGAO+ylPbguVDuRxPFpBg/hUaUckDidNG6UE9GkjtZ9IdUJSPKYdQAzfakWylZpnC9Un/Gmm4wBocHVrqkVfPQQ0rAiSohyXXkedvAV5iKQKtm44zSiERAJoXAiNmrAfiIkKqjs91EaenplKYbpbuIfb7aQMejxPOI/7rO+j6Znr1hPZbq5D9Q74Yb4DaIQR2Xx3UA9YX8nKMLHImNAGi0Hh2Em6KkBGA8hhPOJ7cQ703lQlZ+I2M3exLUUHGJk71AW8CwuVCgt1EBZy9kdEC0nxbr18eOODuu4Tl+z1Rdh16+ItPGfcBIZwBBePb4f41Q8zP+oOUVGXp/vvmaFFKRVWmyw+BjtgB3GJu/r+9aDCJ+s/0ScvHAa7A4PBlPAIy3dghrWOYbuy07QNst/hU7vPo76pXYg7143/oLtowAH3LKpmt1+fcvNIs1DT4hOeLQcVdaGGuStQlH9SoBYW7kINLuzvXWRV2kM9gPB1wT9dUdWfuXbambseCgPAIybF1psVl+fbLqz9bA+dOoNt2U5BAYAesDoTOb2Lt24X3C7ui8p4eLH3GSklWUYNZliAB4QyXPgn43Ix5vI7Iapkzba9Dj96V0oVSD6cZvU8lzpLd9cs+HteuFaWxpKZTA2P/gTKtNI0lsygDvCwMGQFzTSRUd8+VlDUhTlGCUPvTBoyQBftw2hQ4wHOlYTYuBrKe5xLZN0AzuUAzQDWLqlig05Zpy7eA7r/NOIxZecQDsMgrqioETjAt1RxSmdYp3DsANwDcFhRlTMy0hbpBBw83H43/J04uCKmeKxY49CDG8QBnIxJPA/0QL+DxkXJaaaX+OXPr+Jh4MCiHtiwyoT5Gis6bOx7mt7koKIO1PB95K58IRwEuW9IzEFr/ywsBKnAoZqJk7wtFuRelcVKSm3woNXfsariEF542X5q+kmW0B6eDlXan8LMXXija8YMxJu9bzjIjiXWy4xLeVvFi+GB9LCAUQ/wOBpRX5IDYyTO35Tl1AxHshy/uIOKelDDR54ie+XwhJU5pXlkwlM/onb3wpKQSkXWHgHmQdpjzNRzHw+0ll7j4MGL527aQ7D+tBXT3dYs/Mv/HwAA///ei04u" } diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index a33eb424fddd..ce7b0cc36582 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -2399,8 +2399,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.119.181.171", - "10.166.144.66" + "10.166.144.66", + "10.119.181.171" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "dol", diff --git a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml new file mode 100644 index 000000000000..55ded3a11e6a --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml @@ -0,0 +1,488 @@ +- name: juniper.srx + type: group + release: beta + default_field: false + overwrite: true + description: > + Module for parsing junipersrx syslog. + fields: + - name: reason + type: keyword + description: > + reason + + - name: connection_tag + type: keyword + description: > + connection tag + + - name: service_name + type: keyword + description: > + service name + + - name: nat_connection_tag + type: keyword + description: > + nat connection tag + + - name: src_nat_rule_type + type: keyword + description: > + src nat rule type + + - name: src_nat_rule_name + type: keyword + description: > + src nat rule name + + - name: dst_nat_rule_type + type: keyword + description: > + dst nat rule type + + - name: dst_nat_rule_name + type: keyword + description: > + dst nat rule name + + - name: protocol_id + type: keyword + description: > + protocol id + + - name: policy_name + type: keyword + description: > + policy name + + - name: session_id_32 + type: keyword + description: > + session id 32 + + - name: session_id + type: keyword + description: > + session id + + - name: outbound_packets + type: integer + description: > + packets from client + + - name: outbound_bytes + type: integer + description: > + bytes from client + + - name: inbound_packets + type: integer + description: > + packets from server + + - name: inbound_bytes + type: integer + description: > + bytes from server + + - name: elapsed_time + type: date + description: > + elapsed time + + - name: application + type: keyword + description: > + application + + - name: nested_application + type: keyword + description: > + nested application + + - name: username + type: keyword + description: > + username + + - name: roles + type: keyword + description: > + roles + + - name: encrypted + type: keyword + description: > + encrypted + + - name: application_category + type: keyword + description: > + application category + + - name: application_sub_category + type: keyword + description: > + application sub category + + - name: application_characteristics + type: keyword + description: > + application characteristics + + - name: secure_web_proxy_session_type + type: keyword + description: > + secure web proxy session type + + - name: peer_session_id + type: keyword + description: > + peer session id + + - name: peer_source_address + type: ip + description: > + peer source address + + - name: peer_source_port + type: integer + description: > + peer source port + + - name: peer_destination_address + type: ip + description: > + peer destination address + + - name: peer_destination_port + type: integer + description: > + peer destination port + + - name: hostname + type: keyword + description: > + hostname + + - name: src_vrf_grp + type: keyword + description: > + src_vrf_grp + + - name: dst_vrf_grp + type: keyword + description: > + dst_vrf_grp + + - name: icmp_type + type: integer + description: > + icmp type + + - name: process + type: keyword + description: > + process that generated the message + + - name: apbr_rule_type + type: keyword + description: > + apbr rule type + + - name: dscp_value + type: integer + description: > + apbr rule type + + - name: logical_system_name + type: keyword + description: > + logical system name + + - name: profile_name + type: keyword + description: > + profile name + + - name: routing_instance + type: keyword + description: > + routing instance + + - name: rule_name + type: keyword + description: > + rule name + + - name: uplink_tx_bytes + type: integer + description: > + uplink tx bytes + + - name: uplink_rx_bytes + type: integer + description: > + uplink rx bytes + + - name: obj + type: keyword + description: > + url path + + - name: url + type: keyword + description: > + url domain + + - name: profile + type: keyword + description: > + filter profile + + - name: category + type: keyword + description: > + filter category + + - name: filename + type: keyword + description: > + filename + + - name: temporary_filename + type: keyword + description: > + temporary_filename + + - name: name + type: keyword + description: > + name + + - name: error_message + type: keyword + description: > + error_message + + - name: error_code + type: keyword + description: > + error_code + + - name: action + type: keyword + description: > + action + + - name: protocol + type: keyword + description: > + protocol + + - name: protocol_name + type: keyword + description: > + protocol name + + - name: type + type: keyword + description: > + type + + - name: repeat_count + type: integer + description: > + repeat count + + - name: alert + type: keyword + description: > + repeat alert + + - name: message_type + type: keyword + description: > + message type + + - name: threat_severity + type: keyword + description: > + threat severity + + - name: application_name + type: keyword + description: > + application name + + - name: attack_name + type: keyword + description: > + attack name + + - name: index + type: keyword + description: > + index + + - name: message + type: keyword + description: > + mesagge + + - name: epoch_time + type: date + description: > + epoch time + + - name: packet_log_id + type: integer + description: > + packet log id + + - name: export_id + type: integer + description: > + packet log id + + - name: ddos_application_name + type: keyword + description: > + ddos application name + + - name: connection_hit_rate + type: integer + description: > + connection hit rate + + - name: time_scope + type: keyword + description: > + time scope + + - name: context_hit_rate + type: integer + description: > + context hit rate + + - name: context_value_hit_rate + type: integer + description: > + context value hit rate + + - name: time_count + type: integer + description: > + time count + + - name: time_period + type: integer + description: > + time period + + - name: context_value + type: keyword + description: > + context value + + - name: context_name + type: keyword + description: > + context name + + - name: ruleebase_name + type: keyword + description: > + ruleebase name + + - name: verdict_source + type: keyword + description: > + verdict source + + - name: verdict_number + type: integer + description: > + verdict number + + - name: file_category + type: keyword + description: > + file category + + - name: sample_sha256 + type: keyword + description: > + sample sha256 + + - name: malware_info + type: keyword + description: > + malware info + + - name: client_ip + type: ip + description: > + client ip + + - name: tenant_id + type: keyword + description: > + tenant id + + - name: timestamp + type: date + description: > + timestamp + + - name: th + type: keyword + description: > + th + + - name: status + type: keyword + description: > + status + + - name: state + type: keyword + description: > + state + + - name: file_hash_lookup + type: keyword + description: > + file hash lookup + + - name: file_name + type: keyword + description: > + file name + + - name: action_detail + type: keyword + description: > + action detail + + - name: sub_category + type: keyword + description: > + sub category + + - name: feed_name + type: keyword + description: > + feed name + + - name: occur_count + type: integer + description: > + occur count + + - name: tag + type: keyword + description: > + system log message tag, which uniquely identifies the message. + diff --git a/x-pack/filebeat/module/juniper/srx/config/srx.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml new file mode 100644 index 000000000000..6af16945317c --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -0,0 +1,31 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml new file mode 100644 index 000000000000..b93e8da9f981 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml @@ -0,0 +1,363 @@ +description: Pipeline for parsing junipersrx firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.domain + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +############### +## Timestamp ## +############### +- date: + if: 'ctx.juniper.srx?.timestamp != null' + field: juniper.srx.timestamp + target_field: juniper.srx.timestamp + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + on_failure: + - remove: + field: + - juniper.srx.timestamp + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml new file mode 100644 index 000000000000..1a488a57bd8a --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -0,0 +1,360 @@ +description: Pipeline for parsing junipersrx firewall logs (flow pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- rename: + field: juniper.srx.application_risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.juniper?.srx?.application_risk != null" +- append: + field: event.type + value: + - start + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" +- set: + field: event.action + value: flow_started + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- set: + field: event.action + value: flow_close + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- set: + field: event.action + value: flow_deny + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx?.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" + if: "ctx?.client?.packets != null && ctx?.server?.packets != null" + ignore_failure: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/idp.yml b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml new file mode 100644 index 000000000000..808185410d7b --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml @@ -0,0 +1,287 @@ +description: Pipeline for parsing junipersrx firewall logs (idp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: application_ddos + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: security_threat + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx['nat_destination_port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.inbound_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.inbound_packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_packets !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.outbound_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.outbound_packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_packets != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.rulebase_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.rulebase_name != null" +- rename: + field: juniper.srx.rule_name + target_field: rule.id + ignore_missing: true + if: "ctx.juniper?.srx?.rule_name != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol_name + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_name != null" + +######################### +## ECS message Mapping ## +######################### +- rename: + field: juniper.srx.message + target_field: message + ignore_missing: true + if: "ctx.juniper?.srx?.message != null" + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.outbound_bytes + - juniper.srx.outbound_packets + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.inbound_bytes + - juniper.srx.inbound_packets + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/ids.yml b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml new file mode 100644 index 000000000000..039fdd64ccb0 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml @@ -0,0 +1,363 @@ +description: Pipeline for parsing junipersrx firewall logs (ids pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: flood_detected + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: scan_detected + if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" +- set: + field: event.action + value: sweep_detected + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: fragment_detected + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: spoofing_detected + if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" +- set: + field: event.action + value: session_limit_detected + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: attack_detected + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: illegal_tcp_flag_detected + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: tunneling_screen + if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml new file mode 100644 index 000000000000..5bc4d45e82e5 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -0,0 +1,275 @@ +# This module only supports syslog messages in the format "structured-data + brief" +# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html +description: Pipeline for parsing junipersrx firewall logs +processors: +- grok: + field: message + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' + +# split Juniper-SRX fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "juniper.srx." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Converts all kebab-case key names to snake_case +- script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + +# +# Parse the date +# +- date: + if: "ctx.event.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' + +# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. +# -> juniper.srx.elapsed_time +- rename: + field: juniper.srx.elapsed_time + target_field: juniper.srx.duration + if: "ctx.juniper?.srx?.elapsed_time != null" + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.juniper?.srx?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: juniper +- set: + field: event.dataset + value: juniper.srx +- set: + field: event.severity + value: '{{syslog_pri}}' +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +##################### +## ECS Log Mapping ## +##################### +# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes +- set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency +- set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert +- set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical +- set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error +- set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning +- set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification +- set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational +- set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Juniper +- set: + field: observer.product + value: SRX +- set: + field: observer.type + value: firewall +- rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true +- rename: + field: juniper.srx.packet_incoming_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.destination_interface_name + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.source_interface_name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.interface_name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: juniper.srx.source_zone_name + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: juniper.srx.source_zone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: juniper.srx.destination_zone_name + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: juniper.srx.destination_zone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: syslog_program + target_field: juniper.srx.process + ignore_missing: true +- rename: + field: log_type + target_field: juniper.srx.tag + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _temp + - juniper.srx.duration + - juniper.srx.dir_disp + - juniper.srx.srczone + - juniper.srx.dstzone + - juniper.srx.duration + - syslog_pri + ignore_missing: true + +################################ +## Product Specific Pipelines ## +################################ +- pipeline: + name: '{< IngestPipeline "flow" >}' + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" +- pipeline: + name: '{< IngestPipeline "utm" >}' + if: "ctx.juniper?.srx?.process == 'RT_UTM'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.juniper?.srx?.process == 'RT_IDP'" +- pipeline: + name: '{< IngestPipeline "ids" >}' + if: "ctx.juniper?.srx?.process == 'RT_IDS'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" +- pipeline: + name: '{< IngestPipeline "secintel" >}' + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true +- append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true +- append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true +- append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + +- append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true +- append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true +- append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml new file mode 100644 index 000000000000..f2abb2bcf9cf --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml @@ -0,0 +1,349 @@ +description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.address + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml new file mode 100644 index 000000000000..a80e5a94d970 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -0,0 +1,388 @@ +description: Pipeline for parsing junipersrx firewall logs (utm pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- rename: + field: juniper.srx.urlcategory_risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.juniper?.srx?.urlcategory_risk != null" +- set: + field: event.kind + value: alert + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: malware + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: web_filter + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: content_filter + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: antispam_filter + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: virus_detected + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: juniper.srx.url + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.url != null" +- rename: + field: juniper.srx.obj + target_field: url.path + ignore_missing: true + if: "ctx.juniper?.srx?.obj != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: juniper.srx.filename + target_field: file.name + ignore_missing: true + if: "ctx.juniper?.srx?.filename != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/juniper/srx/manifest.yml b/x-pack/filebeat/module/juniper/srx/manifest.yml new file mode 100644 index 000000000000..879be66b99d4 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/manifest.yml @@ -0,0 +1,26 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: ["juniper.srx", "forwarded"] + - name: syslog_port + default: 9006 + - name: input + default: udp + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/flow.yml + - ingest/utm.yml + - ingest/idp.yml + - ingest/ids.yml + - ingest/atp.yml + - ingest/secintel.yml + +input: config/srx.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log b/x-pack/filebeat/module/juniper/srx/test/atp.log new file mode 100644 index 000000000000..95c8210f038a --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log @@ -0,0 +1,4 @@ +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json new file mode 100644 index 000000000000..4187866594ed --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -0,0 +1,240 @@ +[ + { + "@timestamp": "2013-12-14T14:06:59.134-02:00", + "client.ip": "10.10.10.1", + "client.port": 57116, + "destination.as.number": 28126, + "destination.as.organization.name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA", + "destination.geo.city_name": "Juazeiro do Norte", + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "BR", + "destination.geo.country_name": "Brazil", + "destination.geo.location.lat": -7.1467, + "destination.geo.location.lon": -39.247, + "destination.geo.region_iso_code": "BR-CE", + "destination.geo.region_name": "Ceara", + "destination.ip": "187.19.188.200", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.file_category": "executable", + "juniper.srx.policy_name": "argon_policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.session_id_32": "50000002", + "juniper.srx.tag": "SRX_AAMW_ACTION_LOG", + "juniper.srx.verdict_number": "8", + "juniper.srx.verdict_source": "\u201dcloud/blacklist/whitelist\u201d", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "6", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "pinarello", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.mytest.com" + ], + "related.ip": [ + "10.10.10.1", + "187.19.188.200" + ], + "server.ip": "187.19.188.200", + "server.port": 80, + "service.type": "juniper", + "source.ip": "10.10.10.1", + "source.port": 57116, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.mytest.com" + }, + { + "@timestamp": "2016-09-20T15:43:30.330-02:00", + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.malware_info": "Eicar:TestVirus", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "ABC123", + "juniper.srx.tag": "AAMW_MALWARE_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", + "juniper.srx.verdict_number": "9", + "log.level": "informational", + "log.offset": 529, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], + "service.type": "juniper", + "source.domain": "host.example.com", + "source.ip": "192.0.2.0", + "source.user.name": "admin", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-20T15:40:30.050-02:00", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "juniper.srx.policy_name": "default", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.reason": "malware", + "juniper.srx.state": "added", + "juniper.srx.status": "in_progress", + "juniper.srx.tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.th": "7", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", + "log.level": "error", + "log.offset": 835, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], + "service.type": "juniper", + "source.domain": "host.example.com", + "source.ip": "192.0.2.0", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.ip": "1.1.1.1", + "client.port": 60148, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "PERMIT", + "juniper.srx.application": "HTTP", + "juniper.srx.file_category": "executable", + "juniper.srx.file_hash_lookup": "FALSE", + "juniper.srx.file_name": "dummy_file", + "juniper.srx.malware_info": "Testfile", + "juniper.srx.policy_name": "test-policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "juniper.srx.session_id_32": "502156", + "juniper.srx.tag": "AAMW_ACTION_LOG", + "juniper.srx.url": "dummy_url", + "juniper.srx.verdict_number": "10", + "log.level": "notification", + "log.offset": 1235, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "aamw1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.domain": "dummy_host", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 60148, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log b/x-pack/filebeat/module/juniper/srx/test/flow.log new file mode 100644 index 000000000000..400bceceeeef --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log @@ -0,0 +1,25 @@ +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="8.8.8.8" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json new file mode 100644 index 000000000000..b597ed2afc52 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -0,0 +1,2013 @@ +[ + { + "@timestamp": "2019-11-14T06:37:51.184-02:00", + "client.ip": "10.0.0.1", + "client.nat.port": 594, + "client.port": 594, + "destination.ip": "10.128.0.1", + "destination.nat.ip": "10.128.0.1", + "destination.nat.port": 10400, + "destination.port": 10400, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "6093", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "st0.0", + "observer.ingress.zone": "vpn", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.1", + "10.128.0.1", + "10.0.0.1", + "10.128.0.1" + ], + "rule.name": "vpn_trust_permit-all", + "server.ip": "10.128.0.1", + "server.nat.port": 10400, + "server.port": 10400, + "service.type": "juniper", + "source.ip": "10.0.0.1", + "source.nat.ip": "10.0.0.1", + "source.nat.port": 594, + "source.port": 594, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 850, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "juniper", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:26:51.179-02:00", + "client.ip": "1.2.3.4", + "client.port": 56639, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.port": 2003, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No ", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 1513, + "network.iana_number": "6", + "observer.egress.zone": "mngmt", + "observer.ingress.interface.name": "reth6.0", + "observer.ingress.zone": "campus", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "log-all-else", + "server.ip": "5.6.7.8", + "server.port": 2003, + "service.type": "juniper", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 56639, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:28:10.933-02:00", + "client.bytes": 94, + "client.ip": "1.2.3.4", + "client.nat.port": 63456, + "client.packets": 1, + "client.port": 63456, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.nat.ip": "5.6.7.8", + "destination.nat.port": 902, + "destination.packets": 0, + "destination.port": 902, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2014-05-01T06:29:10.933-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2014-05-01T06:28:10.933-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "unset", + "juniper.srx.session_id_32": "15353", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 1966, + "network.bytes": 94, + "network.iana_number": "17", + "network.packets": 1, + "observer.egress.zone": "intra", + "observer.ingress.interface.name": "reth3.5", + "observer.ingress.zone": "mngmt", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8", + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "mngmt-to-vcenter", + "server.bytes": 0, + "server.ip": "5.6.7.8", + "server.nat.port": 902, + "server.packets": 0, + "server.port": 902, + "service.type": "juniper", + "source.bytes": 94, + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.nat.ip": "1.2.3.4", + "source.nat.port": 63456, + "source.packets": 1, + "source.port": 63456, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 2721, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "juniper", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:04.323-02:00", + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.port": 1, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.port": 46384, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 3366, + "network.iana_number": "1", + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.port": 46384, + "service.type": "juniper", + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:07.188-02:00", + "client.bytes": 84, + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.packets": 1, + "client.port": 1, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.packets": 1, + "destination.port": 46384, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2010-09-30T04:55:07.188-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2010-09-30T04:55:07.188-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "response received", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 3933, + "network.bytes": 168, + "network.iana_number": "1", + "network.packets": 2, + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.bytes": 84, + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.packets": 1, + "server.port": 46384, + "service.type": "juniper", + "source.bytes": 84, + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.packets": 1, + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-12T12:29:06.576-02:00", + "client.bytes": 337, + "client.ip": "10.3.255.203", + "client.nat.port": 19162, + "client.packets": 6, + "client.port": 47776, + "destination.as.number": 14627, + "destination.as.organization.name": "Vitalwerks Internet Solutions, LLC", + "destination.bytes": 535, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.23.224.110", + "destination.nat.ip": "8.23.224.110", + "destination.nat.port": 80, + "destination.packets": 4, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2019-04-12T12:29:07.576-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", + "event.outcome": "success", + "event.risk_score": "4", + "event.severity": "14", + "event.start": "2019-04-12T12:29:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.application": "HTTP", + "juniper.srx.application_category": "Web", + "juniper.srx.application_characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP FIN", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "5", + "juniper.srx.src_nat_rule_name": "nat1", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 4637, + "network.bytes": 872, + "network.iana_number": "6", + "network.packets": 10, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/0.0", + "observer.ingress.zone": "trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.3.255.203", + "8.23.224.110", + "10.3.136.49", + "8.23.224.110" + ], + "rule.name": "permit_all", + "server.bytes": 535, + "server.ip": "8.23.224.110", + "server.nat.port": 80, + "server.packets": 4, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 337, + "source.ip": "10.3.255.203", + "source.nat.ip": "10.3.136.49", + "source.nat.port": 19162, + "source.packets": 6, + "source.port": 47776, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-13T12:33:06.576-02:00", + "client.bytes": 4274, + "client.ip": "192.168.2.164", + "client.nat.port": 53232, + "client.packets": 13, + "client.port": 53232, + "destination.bytes": 1575, + "destination.ip": "172.16.1.19", + "destination.nat.ip": "172.16.1.19", + "destination.nat.port": 445, + "destination.packets": 9, + "destination.port": 445, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 16000000000, + "event.end": "2019-04-13T12:33:22.576-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2019-04-13T12:33:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP RST", + "juniper.srx.service_name": "junos-smb", + "juniper.srx.session_id_32": "206", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 5739, + "network.bytes": 5849, + "network.iana_number": "6", + "network.packets": 22, + "observer.egress.zone": "Trust", + "observer.ingress.interface.name": "ge-0/0/2.0", + "observer.ingress.zone": "Trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.2.164", + "172.16.1.19", + "192.168.2.164", + "172.16.1.19" + ], + "rule.name": "35", + "server.bytes": 1575, + "server.ip": "172.16.1.19", + "server.nat.port": 445, + "server.packets": 9, + "server.port": 445, + "service.type": "juniper", + "source.bytes": 4274, + "source.ip": "192.168.2.164", + "source.nat.ip": "192.168.2.164", + "source.nat.port": 53232, + "source.packets": 13, + "source.port": 53232, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-06T23:32:20.898-02:00", + "client.bytes": 72, + "client.ip": "100.73.10.92", + "client.nat.port": 11152, + "client.packets": 1, + "client.port": 52890, + "destination.as.number": 10201, + "destination.as.organization.name": "Dishnet Wireless Limited. Broadband Wireless", + "destination.bytes": 136, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "58.68.126.198", + "destination.nat.ip": "58.68.126.198", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 8000000000, + "event.end": "2018-10-06T23:32:28.898-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-10-06T23:32:20.898-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "220368889", + "juniper.srx.src_nat_rule_name": "NAT_S", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 6497, + "network.bytes": 208, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "Internet", + "observer.ingress.interface.name": "reth0.108", + "observer.ingress.zone": "Gi_nat", + "observer.name": "TestFW2", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "100.73.10.92", + "58.68.126.198", + "58.78.140.131", + "58.68.126.198" + ], + "rule.name": "NAT", + "server.bytes": 136, + "server.ip": "58.68.126.198", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.as.number": 3786, + "source.as.organization.name": "LG DACOM Corporation", + "source.bytes": 72, + "source.geo.city_name": "Seogwipo", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "KR", + "source.geo.country_name": "South Korea", + "source.geo.location.lat": 33.2486, + "source.geo.location.lon": 126.5628, + "source.geo.region_iso_code": "KR-49", + "source.geo.region_name": "Jeju-do", + "source.ip": "100.73.10.92", + "source.nat.ip": "58.78.140.131", + "source.nat.port": 11152, + "source.packets": 1, + "source.port": 52890, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-30T00:17:22.753-02:00", + "client.bytes": 67, + "client.ip": "192.168.255.2", + "client.nat.port": 20215, + "client.packets": 1, + "client.port": 62047, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 116, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2018-06-30T00:17:25.753-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-06-30T00:17:22.753-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "9621", + "juniper.srx.src_nat_rule_name": "rule001", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 7350, + "network.bytes": 183, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "fe-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "fw0001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.255.2", + "8.8.8.8", + "192.168.0.47", + "8.8.8.8" + ], + "rule.name": "trust-to-untrust-001", + "server.bytes": 116, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.bytes": 67, + "source.ip": "192.168.255.2", + "source.nat.ip": "192.168.0.47", + "source.nat.port": 20215, + "source.packets": 1, + "source.port": 62047, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2015-09-25T12:19:53.846-02:00", + "client.bytes": 0, + "client.ip": "10.164.110.223", + "client.nat.port": 58020, + "client.packets": 0, + "client.port": 9057, + "destination.bytes": 0, + "destination.ip": "10.104.12.161", + "destination.nat.ip": "10.12.70.1", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2015-09-25T12:19:54.846-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2015-09-25T12:19:53.846-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.dst_nat_rule_name": "NAT-Policy10", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "24311", + "juniper.srx.src_nat_rule_name": "SNAT-Policy5", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 8203, + "network.bytes": 0, + "network.iana_number": "6", + "network.packets": 0, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth0.0", + "observer.ingress.zone": "trust", + "observer.name": "VPNBox-A", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.164.110.223", + "10.104.12.161", + "10.9.1.150", + "10.12.70.1" + ], + "rule.name": "FW-FTP", + "server.bytes": 0, + "server.ip": "10.104.12.161", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.164.110.223", + "source.nat.ip": "10.9.1.150", + "source.nat.port": 58020, + "source.packets": 0, + "source.port": 9057, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CREATE", + "log.level": "informational", + "log.offset": 9012, + "network.iana_number": "6", + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 48, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 1, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2013-01-19T15:18:17.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 9631, + "network.bytes": 48, + "network.iana_number": "6", + "network.packets": 1, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 0, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 48, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 1, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 144, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 3, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 104, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 2, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 1000000000, + "event.end": "2013-01-19T15:18:18.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.application": "FTP", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 10364, + "network.bytes": 248, + "network.iana_number": "6", + "network.packets": 5, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 104, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 2, + "server.port": 21, + "service.type": "juniper", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 144, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 3, + "source.port": 3129, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:18.040-02:00", + "client.bytes": 19592, + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.packets": 371, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 686432, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 584, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2013-01-19T15:19:18.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:18.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 11130, + "network.bytes": 706024, + "network.iana_number": "6", + "network.packets": 955, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 686432, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 584, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 19592, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.packets": 371, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:19.040-02:00", + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.profile_name": "\u201dpf1\u201d", + "juniper.srx.roles": "DEPT1", + "juniper.srx.routing_instance": "\u201dinstance1\u201d", + "juniper.srx.rule_name": "\u201dfacebook1\u201d", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_ROUTE_UPDATE", + "log.level": "informational", + "log.offset": 11929, + "network.iana_number": "6", + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2013-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 12689, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE_LS", + "log.level": "informational", + "log.offset": 13489, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "juniper", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY_LS", + "log.level": "informational", + "log.offset": 14137, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "juniper", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2020-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE_LS", + "log.level": "informational", + "log.offset": 14803, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "juniper", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-14T12:17:11.928-02:00", + "client.bytes": 2322, + "client.ip": "10.1.1.100", + "client.nat.port": 6018, + "client.packets": 42, + "client.port": 58943, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 2132, + "destination.geo.city_name": "Philippsburg", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 49.2317, + "destination.geo.location.lon": 8.4607, + "destination.geo.region_iso_code": "DE-BW", + "destination.geo.region_name": "Baden-W\u00fcrttemberg", + "destination.ip": "46.165.154.241", + "destination.nat.ip": "46.165.154.241", + "destination.nat.port": 80, + "destination.packets": 34, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 60000000000, + "event.end": "2020-07-14T12:18:11.928-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-14T12:17:11.928-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "16118", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 15606, + "network.bytes": 4454, + "network.iana_number": "6", + "network.packets": 76, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "46.165.154.241", + "172.19.34.100", + "46.165.154.241" + ], + "rule.name": "default-permit", + "server.bytes": 2132, + "server.ip": "46.165.154.241", + "server.nat.port": 80, + "server.packets": 34, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 2322, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 6018, + "source.packets": 42, + "source.port": 58943, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:43:05.041-02:00", + "client.bytes": 9530, + "client.ip": "10.1.1.100", + "client.nat.port": 24519, + "client.packets": 161, + "client.port": 64720, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 9670, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.172", + "destination.nat.ip": "91.228.167.172", + "destination.nat.port": 8883, + "destination.packets": 96, + "destination.port": 8883, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 23755000000000, + "event.end": "2020-07-13T21:19:00.041-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.start": "2020-07-13T14:43:05.041-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.hostname": "NA NA", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.peer_destination_address": "0.0.0.0", + "juniper.srx.peer_destination_port": "0", + "juniper.srx.peer_session_id": "0", + "juniper.srx.peer_source_address": "0.0.0.0", + "juniper.srx.peer_source_port": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.secure_web_proxy_session_type": "NA", + "juniper.srx.session_id_32": "3851", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 16469, + "network.bytes": 19200, + "network.iana_number": "6", + "network.packets": 257, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "91.228.167.172", + "172.19.34.100", + "91.228.167.172" + ], + "rule.name": "default-permit", + "server.bytes": 9670, + "server.ip": "91.228.167.172", + "server.nat.port": 8883, + "server.packets": 96, + "server.port": 8883, + "service.type": "juniper", + "source.bytes": 9530, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 24519, + "source.packets": 161, + "source.port": 64720, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.ip": "10.1.1.100", + "client.nat.port": 30838, + "client.port": 49583, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.port": 53, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15399", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 17715, + "network.iana_number": "17", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.port": 53, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 30838, + "source.port": 49583, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.bytes": 66, + "client.ip": "10.1.1.100", + "client.nat.port": 26764, + "client.packets": 1, + "client.port": 63381, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.duration": 3000000000, + "event.end": "2020-07-13T14:12:08.530-02:00", + "event.kind": "event", + "event.module": "juniper", + "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-13T14:12:05.530-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Closed by junos-alg", + "juniper.srx.routing_instance": "default", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15361", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "juniper.srx.uplink_rx_bytes": "0", + "juniper.srx.uplink_tx_bytes": "0", + "log.level": "informational", + "log.offset": 18627, + "network.bytes": 148, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.bytes": 82, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "juniper", + "source.bytes": 66, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 26764, + "source.packets": 1, + "source.port": 63381, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log b/x-pack/filebeat/module/juniper/srx/test/idp.log new file mode 100644 index 000000000000..c05d9732fb5d --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log @@ -0,0 +1,7 @@ +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json new file mode 100644 index 000000000000..7704c88fac07 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -0,0 +1,537 @@ +[ + { + "@timestamp": "2020-03-02T21:13:03.193-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.packets": 0, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.193-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.193-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "juniper.srx.type": "idp", + "log.level": "notification", + "log.offset": 0, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.packets": 0, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-02T21:13:03.197-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.packets": 0, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.197-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.197-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TCP:C2S:AMBIG:C2S-SYN-DATA", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "CRITICAL", + "juniper.srx.type": "idp", + "log.level": "notification", + "log.offset": 929, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.packets": 0, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.111.1", + "destination.nat.ip": "172.19.13.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2007-02-15T07:17:15.719-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2007-02-15T07:17:15.719-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "log.level": "notification", + "log.offset": 1857, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.111.1", + "0.0.0.0", + "172.19.13.11" + ], + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.111.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 45610, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-12T19:55:55.792-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.30.11", + "destination.nat.ip": "172.16.1.10", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.duration": 0, + "event.end": "2017-10-12T19:55:55.792-02:00", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2017-10-12T19:55:55.792-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "log.level": "notification", + "log.offset": 2773, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.30.11", + "0.0.0.0", + "172.16.1.10" + ], + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.30.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "juniper", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 45610, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2011-10-23T02:06:26.544-02:00", + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319367986", + "juniper.srx.policy_name": "A DoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_STATE_EVENT", + "log.level": "notification", + "log.offset": 3693, + "message": "Connection rate exceeded limit 60", + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.0", + "observer.egress.zone": "untrust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "172.27.14.203" + ], + "rule.id": "1", + "rule.name": "DDOS", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "juniper", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2011-10-23T16:28:31.696-02:00", + "client.ip": "192.168.14.214", + "client.port": 50825, + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "0", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.ruleebase_name": "DDOS", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", + "log.level": "notification", + "log.offset": 4165, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.0", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth1.O", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.14.214", + "172.27.14.203" + ], + "rule.id": "1", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.14.214", + "source.port": 50825, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2012-10-23T17:28:31.696-02:00", + "client.ip": "193.168.14.214", + "client.port": 50825, + "destination.ip": "172.30.20.201", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "0", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1419419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.ruleebase_name": "DDOS02", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", + "log.level": "notification", + "log.offset": 4895, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth3.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "193.168.14.214", + "172.30.20.201" + ], + "rule.id": "1", + "server.ip": "172.30.20.201", + "server.port": 80, + "service.type": "juniper", + "source.ip": "193.168.14.214", + "source.port": 50825, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log b/x-pack/filebeat/module/juniper/srx/test/ids.log new file mode 100644 index 000000000000..5b87817da868 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log @@ -0,0 +1,12 @@ +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.113.17.17" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.1.1.2" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="111.1.1.3" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="111.1.1.3" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="111.1.1.3" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="12.12.12.1" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="111.1.1.3" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json new file mode 100644 index 000000000000..10abae2fa6d8 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -0,0 +1,699 @@ +[ + { + "@timestamp": "2018-07-19T21:17:02.309-02:00", + "client.ip": "113.113.17.17", + "client.port": 6000, + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.177.177.1", + "destination.port": 1433, + "event.action": "sweep_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP sweep!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 0, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "113.113.17.17", + "40.177.177.1" + ], + "server.ip": "40.177.177.1", + "server.port": 1433, + "service.type": "juniper", + "source.as.number": 4134, + "source.as.organization.name": "No.31,Jin-rong Street", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "113.113.17.17", + "source.port": 6000, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:18:02.309-02:00", + "client.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "client.port": 3240, + "destination.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "destination.port": 139, + "event.action": "attack_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "WinNuke attack!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 294, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "2000:0000:0000:0000:0000:0000:0000:0002", + "2001:0000:0000:0000:0000:0000:0000:0002" + ], + "server.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "server.port": 139, + "service.type": "juniper", + "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "source.port": 3240, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:19:02.309-02:00", + "client.ip": "1.1.1.2", + "client.port": 40001, + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "destination.port": 50010, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 644, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.1.1.2", + "2.2.2.2" + ], + "server.ip": "2.2.2.2", + "server.port": 50010, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.2", + "source.port": 40001, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:22:02.309-02:00", + "client.ip": "111.1.1.3", + "client.port": 40001, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "destination.port": 53, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "UDP flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_UDP", + "log.level": "error", + "log.offset": 930, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "server.port": 53, + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "source.port": 40001, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:25:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.action": "fragment_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "ICMP fragment!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_ICMP", + "log.level": "error", + "log.offset": 1215, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:26:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Record Route IP option!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1463, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], + "server.ip": "3.4.2.2", + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:27:02.309-02:00", + "client.ip": "1212::12", + "destination.ip": "1111::11", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 6in6!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1734, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1212::12", + "1111::11" + ], + "server.ip": "1111::11", + "service.type": "juniper", + "source.ip": "1212::12", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:28:02.309-02:00", + "client.ip": "12.12.12.1", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "11.11.11.1", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 4in4!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1998, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "12.12.12.1", + "11.11.11.1" + ], + "server.ip": "11.11.11.1", + "service.type": "juniper", + "source.as.number": 32328, + "source.as.organization.name": "Alascom, Inc.", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "12.12.12.1", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_DST_IP", + "log.level": "error", + "log.offset": 2266, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "2.2.2.2" + ], + "server.ip": "2.2.2.2", + "service.type": "juniper", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "client.ip": "111.1.1.3", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_SRC_IP", + "log.level": "error", + "log.offset": 2503, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3" + ], + "service.type": "juniper", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-17T05:54:43.912-02:00", + "client.ip": "10.1.1.100", + "client.port": 50630, + "destination.ip": "10.1.1.1", + "destination.port": 10778, + "event.action": "scan_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP port scan!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 2737, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], + "server.ip": "10.1.1.1", + "server.port": 10778, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 50630, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-17T06:01:43.006-02:00", + "client.ip": "10.1.1.100", + "client.port": 42799, + "destination.ip": "10.1.1.1", + "destination.port": 7, + "event.action": "illegal_tcp_flag_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "FIN but no ACK bit!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 3028, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], + "server.ip": "10.1.1.1", + "server.port": 7, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 42799, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log b/x-pack/filebeat/module/juniper/srx/test/secintel.log new file mode 100644 index 000000000000..12f8f137c7f3 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log @@ -0,0 +1,2 @@ +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="5.196.121.161" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json new file mode 100644 index 000000000000..49667e85897a --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -0,0 +1,140 @@ +[ + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "5.196.121.161", + "client.port": 1, + "destination.ip": "10.10.0.10", + "destination.port": 24039, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "DROP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "Tor_Exit_Nodes", + "juniper.srx.policy_name": "cc_policy", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "Blacklist", + "juniper.srx.session_id_32": "572564", + "juniper.srx.sub_category": "Blacklist", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "0", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "DMZ", + "observer.ingress.zone": "Outside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "5.196.121.161", + "10.10.0.10" + ], + "server.ip": "10.10.0.10", + "server.port": 24039, + "service.type": "juniper", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": "5.196.121.161", + "source.port": 1, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "1.1.1.1", + "client.port": 36612, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "CLOSE REDIRECT MSG", + "juniper.srx.application": "HTTP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "cc_url_data", + "juniper.srx.occur_count": "0", + "juniper.srx.policy_name": "test", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "test-profile", + "juniper.srx.session_id_32": "502362", + "juniper.srx.sub_category": "CC", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "10", + "log.level": "informational", + "log.offset": 561, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "juniper", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 36612, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "dummy_host" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log b/x-pack/filebeat/module/juniper/srx/test/utm.log new file mode 100644 index 000000000000..61c320ae8859 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log @@ -0,0 +1,12 @@ +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="74.125.155.147" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json new file mode 100644 index 000000000000..f9890a6ca0f2 --- /dev/null +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -0,0 +1,698 @@ +[ + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 0, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "10.10.10.50", + "client.port": 1402, + "destination.as.number": 6461, + "destination.as.organization.name": "Zayo Bandwidth", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.200.241.66", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "wf-profile", + "juniper.srx.reason": "BY_OTHER", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "warning", + "log.offset": 319, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.checkpoint.com" + ], + "related.ip": [ + "10.10.10.50", + "216.200.241.66" + ], + "server.ip": "216.200.241.66", + "server.port": 80, + "service.type": "juniper", + "source.ip": "10.10.10.50", + "source.port": 1402, + "source.user.name": "user02", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.checkpoint.com", + "url.path": "/css/homepage2012.css" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 664, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "juniper", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "74.125.155.147", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 33578, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "www.google.com/", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.error_code": "14", + "juniper.srx.error_message": "scan engine is not ready", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_SCANNER_DROP_FILE_MT", + "log.level": "warning", + "log.offset": 1035, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "74.125.155.147", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 33578, + "service.type": "juniper", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.155.147", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2010-01-29T08:59:59.660-02:00", + "client.ip": "10.2.1.101", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 51727, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_HUGE_FILE_DROPPED_MT", + "log.level": "warning", + "log.offset": 1323, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.2.1.101", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 51727, + "service.type": "juniper", + "source.ip": "10.2.1.101", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:33:50.391-02:00", + "client.ip": "10.10.10.1", + "event.action": "antispam_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "antispam01", + "juniper.srx.reason": "Match local blacklist", + "juniper.srx.tag": "ANTISPAM_SPAM_DETECTED_MT", + "log.level": "informational", + "log.offset": 1595, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.10.10.1" + ], + "service.type": "juniper", + "source.ip": "10.10.10.1", + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:34:50.391-02:00", + "client.ip": "192.0.2.3", + "client.port": 58071, + "destination.ip": "198.51.100.2", + "destination.port": 80, + "event.action": "content_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "test.cmd", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "content02", + "juniper.srx.reason": "blocked due to file extension block list", + "juniper.srx.tag": "CONTENT_FILTERING_BLOCKED_MT", + "log.level": "informational", + "log.offset": 1892, + "network.protocol": "http", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.3", + "198.51.100.2" + ], + "server.ip": "198.51.100.2", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.0.2.3", + "source.port": 58071, + "source.user.name": "user01@testuser.com", + "tags": [ + "juniper.srx", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-18T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED_LS", + "log.level": "warning", + "log.offset": 2317, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "juniper", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2011-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT_LS", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 2639, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "juniper", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2020-07-14T12:16:18.345-02:00", + "client.ip": "10.1.1.100", + "client.port": 58974, + "destination.as.number": 13335, + "destination.as.organization.name": "Cloudflare, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "104.26.15.142", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", + "event.outcome": "success", + "event.risk_score": "0", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "Enhanced_Information_Technology", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", + "juniper.srx.session_id": "16297", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "informational", + "log.offset": 3013, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "datawrapper.dwcdn.net" + ], + "related.ip": [ + "10.1.1.100", + "104.26.15.142" + ], + "server.ip": "104.26.15.142", + "server.port": 443, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 58974, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "datawrapper.dwcdn.net", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:16:29.541-02:00", + "client.ip": "10.1.1.100", + "client.port": 59075, + "destination.as.number": 24961, + "destination.as.organization.name": "myLoc managed IT AG", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "85.114.159.93", + "destination.port": 443, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "juniper.srx", + "event.kind": "alert", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", + "event.outcome": "success", + "event.risk_score": "3", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.category": "Enhanced_Advertisements", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_SUSPICIOUS", + "juniper.srx.session_id": "16490", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 3552, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.hosts": [ + "dsp.adfarm1.adition.com" + ], + "related.ip": [ + "10.1.1.100", + "85.114.159.93" + ], + "server.ip": "85.114.159.93", + "server.port": 443, + "service.type": "juniper", + "source.ip": "10.1.1.100", + "source.port": 59075, + "tags": [ + "juniper.srx", + "forwarded" + ], + "url.domain": "dsp.adfarm1.adition.com", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:17:04.733-02:00", + "client.ip": "23.209.86.45", + "client.port": 80, + "destination.ip": "10.1.1.100", + "destination.port": 58954, + "event.category": [ + "network" + ], + "event.dataset": "juniper.srx", + "event.kind": "event", + "event.module": "juniper", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar", + "fileset.name": "srx", + "input.type": "log", + "juniper.srx.action": "BLOCKED", + "juniper.srx.error_code": "7", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "Custom-Sophos-Profile", + "juniper.srx.reason": "exceeding maximum content size", + "juniper.srx.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT", + "log.level": "warning", + "log.offset": 4078, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "23.209.86.45", + "10.1.1.100" + ], + "server.ip": "10.1.1.100", + "server.port": 58954, + "service.type": "juniper", + "source.as.number": 16625, + "source.as.organization.name": "Akamai Technologies, Inc.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "23.209.86.45", + "source.port": 80, + "tags": [ + "juniper.srx", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index a376ac92cdb9..71112679db02 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -39,3 +39,16 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006