/*
* Copyright 2012 Future Systems
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.araqne.logparser.syslog.airtight;
import java.util.HashMap;
import java.util.Map;
import java.util.Scanner;
import org.araqne.log.api.V1LogParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class SpectraGuardLogParser extends V1LogParser {
private final Logger logger = LoggerFactory.getLogger(SpectraGuardLogParser.class);
@Override
public Map<String, Object> parse(Map<String, Object> params) {
String line = (String) params.get("line");
if (line == null)
return null;
HashMap<String, Object> m = new HashMap<String, Object>();
if (!line.startsWith("<")) {
int b = 0;
int e = line.indexOf("<");
String datetimeAndHost = line.substring(b, e);
line = line.substring(e);
for (int i = 0; i < 3; ++i) {
e = datetimeAndHost.indexOf(" ", b);
b = e + 1;
}
m.put("host", datetimeAndHost.substring(e).trim());
}
Scanner sc = null;
try {
sc = new Scanner(line);
sc.useDelimiter(": ");
String sensor = sc.next();
String mac = sensor.substring(1, 18);
m.put("sensor_mac", mac);
m.put("sensor_version", sensor.substring(19).trim());
String token = sc.next().trim();
String msg = null;
if (token.equals("Start") || token.equals("Stop")) {
m.put("state", token);
msg = sc.next().trim();
} else {
msg = token;
}
if (msg.equals("Possible Mobile Client matching watch list signature detected")) {
msg += sc.next().trim();
}
m.put("msg", msg);
String location = sc.next().trim();
int p = location.indexOf("://");
String sensorIp = location.substring(0, p);
location = location.substring(p + 1);
m.put("sensor_ip", sensorIp);
m.put("location", location);
m.put("date", sc.next().trim());
m.put("severity", sc.next().trim());
m.put("event_id", sc.next().trim());
m.put("event_major_num", sc.next().trim());
m.put("event_intermediate_num", sc.next().trim());
m.put("event_minor_num", sc.next().trim());
if (sc.hasNext())
m.put("closest_sensor_name", sc.next().trim());
if (msg.startsWith("Rogue Client")) {
m.put("type", "Rogue Client");
m.put("client", extract(msg));
} else if (msg.startsWith("Rogue AP")) {
m.put("type", "Rogue AP");
m.put("ap", extract(msg));
} else if (msg.startsWith("Mis-configured Authorized AP")) {
m.put("type", "Misconfigured AP");
} else if (msg.startsWith("Authorized Client")) {
m.put("type", "Misbehaving Client");
String client = extract(msg);
if (client != null)
m.put("client", client);
} else if (msg.startsWith("Unauthorized Client")) {
m.put("type", "Misbehaving Client");
m.put("client", extract(msg));
} else if (msg.startsWith("RF signature anomaly")) {
m.put("type", "MAC Spoofing");
m.put("client", extract(msg));
} else if (msg.startsWith("Deauthentication flood attack")) {
m.put("type", "DoS");
m.put("ap", extract(msg, "AP ["));
m.put("client", extract(msg, "Client ["));
} else if (msg.startsWith("An Ad hoc network")) {
m.put("type", "Ad Hoc");
m.put("adhoc", extract(msg));
} else if (msg.startsWith("Use of Fake AP tool detected")) {
m.put("type", "Rogue AP");
m.put("sensor_name", extract(msg));
} else if (msg.startsWith("Indeterminate AP")) {
m.put("type", "Rogue AP");
m.put("ap", extract(msg));
} else if (msg.startsWith("Authorized AP") && msg.endsWith("non-allowed channel.")) {
m.put("type", "Misconfigured AP");
m.put("ap", extract(msg));
} else if (msg.startsWith("Possible use of Netstumbler")) {
m.put("type", "Scanning");
m.put("sensor_name", extract(msg, "Sensor ["));
m.put("client", extract(msg, "Client ["));
} else if (msg.startsWith("AP") && msg.endsWith("quarantined.")) {
m.put("type", "Prevention");
m.put("ap", extract(msg));
} else if (msg.startsWith("Client") && msg.endsWith("quarantined.")) {
m.put("type", "Prevention");
m.put("client", extract(msg));
}
} catch (Throwable t) {
logger.trace("cannot parse spectraguard log - " + line, t);
m.put("line", line);
} finally {
if (sc != null)
sc.close();
}
return m;
}
private String extract(String s) {
return extract(s, "[");
}
private String extract(String s, String beginMarker) {
int begin = s.indexOf(beginMarker);
if (begin < 0)
return null;
int end = s.indexOf(']', begin + beginMarker.length());
if (end < 0)
return null;
return s.substring(begin + beginMarker.length(), end);
}
}