/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.opensoc.parsing.parsers;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.json.simple.JSONObject;
import com.opensoc.parser.interfaces.MessageParser;
@SuppressWarnings("serial")
public class BasicSourcefireParser extends AbstractParser implements MessageParser{
public static final String hostkey = "host";
String domain_name_regex = "([^\\.]+)\\.([a-z]{2}|[a-z]{3}|([a-z]{2}\\.[a-z]{2}))$";
String sidRegex = "(.*)(\\[[0-9]+:[0-9]+:[0-9]\\])(.*)$";
//String sidRegex = "(\\[[0-9]+:[0-9]+:[0-9]\\])(.*)$";
Pattern sidPattern = Pattern.compile(sidRegex);
Pattern pattern = Pattern.compile(domain_name_regex);
@SuppressWarnings({ "unchecked", "unused" })
public JSONObject parse(byte[] msg) {
JSONObject payload = new JSONObject();
String toParse = "";
try {
toParse = new String(msg, "UTF-8");
_LOG.debug("Received message: " + toParse);
String tmp = toParse.substring(toParse.lastIndexOf("{"));
payload.put("key", tmp);
String protocol = tmp.substring(tmp.indexOf("{") + 1,
tmp.indexOf("}")).toLowerCase();
String source = tmp.substring(tmp.indexOf("}") + 1,
tmp.indexOf("->")).trim();
String dest = tmp.substring(tmp.indexOf("->") + 2, tmp.length())
.trim();
payload.put("protocol", protocol);
String source_ip = "";
String dest_ip = "";
if (source.contains(":")) {
String parts[] = source.split(":");
payload.put("ip_src_addr", parts[0]);
payload.put("ip_src_port", parts[1]);
source_ip = parts[0];
} else {
payload.put("ip_src_addr", source);
source_ip = source;
}
if (dest.contains(":")) {
String parts[] = dest.split(":");
payload.put("ip_dst_addr", parts[0]);
payload.put("ip_dst_port", parts[1]);
dest_ip = parts[0];
} else {
payload.put("ip_dst_addr", dest);
dest_ip = dest;
}
payload.put("timestamp", System.currentTimeMillis());
Matcher sidMatcher = sidPattern.matcher(toParse);
String originalString = null;
String signatureId = "";
if (sidMatcher.find()) {
signatureId = sidMatcher.group(2);
originalString = sidMatcher.group(1) +" "+ sidMatcher.group(2) + " " + sidMatcher.group(3);
} else {
_LOG.warn("Unable to find SID in message: " + toParse);
originalString = toParse;
}
payload.put("original_string", originalString);
payload.put("signature_id", signatureId);
return payload;
} catch (Exception e) {
e.printStackTrace();
_LOG.error("Failed to parse: " + toParse);
return null;
}
}
}