/*
* Copyright 2012 Future Systems
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.krakenapps.logparser.syslog.futuresystems;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.krakenapps.log.api.FirewallLog;
import org.krakenapps.log.api.IpsLog;
import org.krakenapps.log.api.LogNormalizer;
public class WeguardiaLogNormalizer implements LogNormalizer {
private final Set<Long> contentBlocks = new HashSet<Long>();
private final Set<Long> contentDetects = new HashSet<Long>();
private final Set<Long> contentAllows = new HashSet<Long>();
public WeguardiaLogNormalizer() {
contentBlocks.add(0x26030001L); // smtp match filter
contentBlocks.add(0x27030001L); // smtp transform filter
contentBlocks.add(0x28030001L); // smtp advanced filter
contentBlocks.add(0x29040001L); // http cf block
contentBlocks.add(0x29040002L); // http kiscom block
contentBlocks.add(0x29040003L); // url block game
contentBlocks.add(0x29040004L); // url block stock
contentBlocks.add(0x29040005L); // url block news
contentBlocks.add(0x29040006L); // url block iptv
contentBlocks.add(0x29040007L); // url block email
contentBlocks.add(0x29040008L); // url block webhard
contentBlocks.add(0x29040009L); // url block p2p
contentBlocks.add(0x2904000aL); // url block user
contentDetects.add(0x26030002L); // smtp match detect
contentDetects.add(0x27030002L); // smtp transform detect
contentDetects.add(0x28030002L); // smtp advanced detect
contentDetects.add(0x2902000bL); // http cf detect
contentAllows.add(0x26020003L); // smtp match allows
contentAllows.add(0x27020003L); // smtp transform allows
contentAllows.add(0x28020003L); // smtp advanced allows
}
@Override
public Map<String, Object> normalize(Map<String, Object> params) {
int logtype = Integer.valueOf((String) params.get("logtype"));
switch (logtype) {
case 1: // firewall
case 9: // ddos
return parseFirewall(params);
case 2: // dpi
return parseIps(params);
}
return null;
}
private Map<String, Object> parseFirewall(Map<String, Object> params) {
int logtype = Integer.valueOf((String) params.get("logtype"));
String rule = (String) params.get("rule");
String act = (String) params.get("act");
long actNo = Long.valueOf(act);
FirewallLog log = new FirewallLog();
log.setDate((Date) params.get("date"));
log.setSubtype("session");
log.setAction("accept");
if (logtype == 9) {
log.setSubtype("attack");
log.setAction("drop");
} else if (((actNo & 0x21000000) > 0) // dos
|| ((actNo & 0x22000000) > 0) // ddos
|| ((actNo & 0x23000000) > 0) // portscan
|| ((actNo & 0x24000000) > 0)) // ip spoof
{
log.setSubtype("attack");
log.setAction("drop");
} else if (contentBlocks.contains(actNo)) {
log.setSubtype("content-filter");
log.setAction("drop");
} else if (contentDetects.contains(actNo)) {
log.setSubtype("content-filter");
} else if (contentAllows.contains(actNo)) {
log.setSubtype("content-filter");
}
// debug(1), info(2), normal(3), warn(4), serious(5), critical(6)
log.setSeverity(normalizeSeverity((String) params.get("severity")));
log.setSrc((String) params.get("sip"));
log.setDst((String) params.get("dip"));
log.setSrcPort((Integer) params.get("sport"));
log.setDstPort((Integer) params.get("dport"));
log.setProtocol((String) params.get("protocol"));
log.setRule(rule);
log.setDetail((String) params.get("note"));
log.setCount((Integer) params.get("count"));
if (actNo == 0x20040003L) // packet filter drop
log.setAction("drop");
return log;
}
private Map<String, Object> parseIps(Map<String, Object> params) {
IpsLog log = new IpsLog();
log.setDate((Date) params.get("date"));
// debug(1), info(2), normal(3), warn(4), serious(5), critical(6)
log.setSeverity(normalizeSeverity((String) params.get("severity")));
log.setSrc((String) params.get("sip"));
log.setDst((String) params.get("dip"));
log.setSrcPort((Integer) params.get("sport"));
log.setDstPort((Integer) params.get("dport"));
log.setProtocol((String) params.get("protocol"));
log.setRule((String) params.get("rule"));
log.setDetail((String) params.get("note"));
log.setCount((Integer) params.get("count"));
return log;
}
private int normalizeSeverity(String value) {
int v = Integer.valueOf(value);
switch (v) {
case 1:
return 5;
case 2:
return 5;
case 3:
return 4;
case 4:
return 3;
case 5:
return 2;
case 6:
return 1;
default:
return 0;
}
}
}