/*
* Copyright 2012 Future Systems
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.araqne.logparser.snmptrap.pentasecurity;
import java.net.InetAddress;
import java.text.SimpleDateFormat;
import java.util.HashMap;
import java.util.Map;
import org.araqne.log.api.V1LogParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class WapplesLogParser extends V1LogParser {
private final Logger logger = LoggerFactory.getLogger(WapplesLogParser.class.getName());
// detect oids
private final static String DETECT_OID = "1.3.6.1.4.1.9772.1.2.0.1";
private final static String DETECT_TIME_OID = DETECT_OID + ".1";
private final static String DETECT_SRC_OID = DETECT_OID + ".2";
private final static String DETECT_URI_OID = DETECT_OID + ".3";
private final static String DETECT_RULE_ID_OID = DETECT_OID + ".4";
private final static String DETECT_RAW_DATA_OID = DETECT_OID + ".5";
private final static String DETECT_RESPONSE_VALUE_OID = DETECT_OID + ".6";
private final static String DETECT_WEBSITE_HOSTNAME_OID = DETECT_OID + ".7";
private final static String DETECT_DST_OID = DETECT_OID + ".8";
// audit oids
private final static String AUDIT_OID = "1.3.6.1.4.1.9772.1.2.0.2";
private final static String AUDIT_SRC_OID = AUDIT_OID + ".1";
private final static String AUDIT_TIME_OID = AUDIT_OID + ".2";
private final static String AUDIT_INFO_OID = AUDIT_OID + ".3";
private final static String AUDIT_TYPE_OID = AUDIT_OID + ".4";
private final static String AUDIT_MSG_TYPE_OID = AUDIT_OID + ".5";
// wapples status oids
private final static String STATUS_OID = "1.3.6.1.4.1.9772.1.2.0.3";
private final static String STATUS_TIME_OID = STATUS_OID + ".1";
private final static String STATUS_CPU_USED_OID = STATUS_OID + ".2";
private final static String STATUS_MEM_USED_OID = STATUS_OID + ".3";
// web server check oids
private final static String CHECK_OID = "1.3.6.1.4.1.9772.1.2.0.4";
private final static String CHECK_BEGIN_TIME_OID = CHECK_OID + ".1";
private final static String CHECK_END_TIME_OID = CHECK_OID + ".2";
private final static String CHECK_SERVER_IP_OID = CHECK_OID + ".3";
private final static String CHECK_SERVER_PORT_OID = CHECK_OID + ".4";
private final static String CHECK_STATUS_CODE_OID = CHECK_OID + ".5";
private final static String CHECK_TIMEOUT_COUNT_OID = CHECK_OID + ".6";
@Override
public Map<String, Object> parse(Map<String, Object> log) {
if (logger.isDebugEnabled())
logger.debug("araqne logparser snmptrap: wapples log [{}]", log);
// check snmp trap oid
String snmpTrapOid = (String) log.get("1.3.6.1.6.3.1.1.4.1.0");
if (snmpTrapOid == null) {
logger.warn("araqne logparser snmptrap: invalid wapples log, null snmp trap oid [{}]", log);
return null;
}
// detection log
try {
SimpleDateFormat dateFormat = new SimpleDateFormat("yy/MM/dd HH:mm:ss");
if (snmpTrapOid.equals("1.3.6.1.4.1.9772.1.2.0.1")) {
Map<String, Object> m = new HashMap<String, Object>();
m.put("date", dateFormat.parse((String) log.get(DETECT_TIME_OID)));
m.put("type", "detect");
m.put("src", ((InetAddress) log.get(DETECT_SRC_OID)).getHostAddress());
m.put("dst", ((InetAddress) log.get(DETECT_DST_OID)).getHostAddress());
m.put("uri", log.get(DETECT_URI_OID));
m.put("rule", getRuleName((Integer) log.get(DETECT_RULE_ID_OID)));
m.put("rawdata", log.get(DETECT_RAW_DATA_OID));
m.put("response", getResponseName((Integer) log.get(DETECT_RESPONSE_VALUE_OID)));
m.put("hostname", log.get(DETECT_WEBSITE_HOSTNAME_OID));
return m;
}
// audit log
else if (snmpTrapOid.equals("1.3.6.1.4.1.9772.1.2.0.2")) {
Map<String, Object> m = new HashMap<String, Object>();
m.put("date", dateFormat.parse((String) log.get(AUDIT_TIME_OID)));
m.put("type", "audit");
m.put("src", log.get(AUDIT_SRC_OID));
m.put("info", log.get(AUDIT_INFO_OID));
m.put("audit_type", log.get(AUDIT_TYPE_OID));
m.put("audit_msg_type", log.get(AUDIT_MSG_TYPE_OID));
return m;
}
// wapples status
else if (snmpTrapOid.equals("1.3.6.1.4.1.9772.1.2.0.3")) {
Map<String, Object> m = new HashMap<String, Object>();
m.put("date", dateFormat.parse((String) log.get(STATUS_TIME_OID)));
m.put("type", "status");
m.put("cpu_used", log.get(STATUS_CPU_USED_OID));
m.put("mem_used", log.get(STATUS_MEM_USED_OID));
return m;
}
// web server check
else if (snmpTrapOid.equals("1.3.6.1.4.1.9772.1.2.0.4")) {
Map<String, Object> m = new HashMap<String, Object>();
m.put("type", "server_check");
m.put("begin_time", dateFormat.parse((String) log.get(CHECK_BEGIN_TIME_OID)));
m.put("end_time", dateFormat.parse((String) log.get(CHECK_END_TIME_OID)));
m.put("server_ip", ((InetAddress) log.get(CHECK_SERVER_IP_OID)).getHostAddress());
m.put("server_port", log.get(CHECK_SERVER_PORT_OID));
m.put("status_code", log.get(CHECK_STATUS_CODE_OID));
m.put("timeout_count", log.get(CHECK_TIMEOUT_COUNT_OID));
return m;
}
} catch (Throwable t) {
logger.error("araqne logparser snmptrap: cannot parse wapples log => " + log, t);
return null;
}
logger.warn("araqne logparser snmptrap: unrecognized snmp trap oid [{}]", snmpTrapOid);
return null;
}
private static String getRuleName(int id) {
switch (id) {
case 1:
return "xss";
case 2:
return "parameter_tampering";
case 3:
return "cookie_poisoning";
case 4:
return "buffer_overflow";
case 5:
return "sql_injection";
case 6:
return "input_invalidation";
case 7:
return "invalid_http_request";
case 8:
return "worm";
case 9:
return "invalid_uri";
case 10:
return "forceful_browsing";
case 11:
return "unknown_worm";
case 12:
return "file_upload";
case 13:
return "response_header_filtering";
case 14:
return "unicode_dir_traversal";
case 15:
return "known_attack";
case 16:
return "stealth_commanding";
case 17:
return "request_method_filtering";
case 18:
return "error_handling";
case 19:
return "uri_access_control";
case 20:
return "input_content_filtering";
case 21:
return "output_filtering";
case 22:
return "suspicious_access";
case 23:
return "invalid_http";
case 24:
return "web_site_defacement";
case 25:
return "output_content_filtering";
case 26:
return "directory_listing";
case 27:
return "extension_filtering";
case 28:
return "privacy_file_upload";
case 29:
return "ip_block";
case 30:
return "privacy_input_filtering";
case 31:
return "include_injection";
case 32:
return "ip_filtering";
case 33:
return "request_header_filtering";
case 34:
return "user_defined";
default:
return "rule-" + Integer.toString(id);
}
}
private static String getResponseName(int value) {
switch (value) {
case -1:
return "alter_content";
case 0:
return "no_response";
case 1:
return "redirect";
case 2:
return "error_code";
case 3:
return "disconnect";
case 4:
return "suspicious_access";
default:
return "response-" + value;
}
}
}