/* * Copyright 2010 NCHOVY * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.araqne.logparser.syslog.juniper.attack; import java.io.IOException; import java.util.Map; import java.util.Set; import org.araqne.logparser.syslog.internal.PatternFinder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class JuniperAttackLogParser { private final Logger logger = LoggerFactory.getLogger(JuniperAttackLogParser.class.getName()); private PatternFinder<JuniperAttackLogPattern> patternMap; public JuniperAttackLogParser() throws IOException { patternMap = loadPatterns(); } public static JuniperAttackLogParser newInstance() { try { return new JuniperAttackLogParser(); } catch (IOException e) { e.printStackTrace(); return null; } } private static PatternFinder<JuniperAttackLogPattern> loadPatterns() throws IOException { PatternFinder<JuniperAttackLogPattern> m = PatternFinder.newInstance(); load(m, "Emergency (00005)", "SYN flood! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Emergency (00006)", "Teardrop attack! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Emergency (00007)", "Ping of Death! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00004)", "WinNuke attack! From <src-ip>:<src-port> to <dst-ip>:139, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00008)", "IP spoofing! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00009)", "Source Route IP option! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00010)", "Land attack! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00011)", "ICMP flood! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00012)", "UDP flood! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto UDP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00016)", "Port scan! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Alert (00017)", "Address sweep! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00032)", "Malicious URL! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00033)", "Src IP session limit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00412)", "SYN fragment! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00413)", "No TCP flag! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00414)", "Unknown protocol! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto <protocol> (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00415)", "Bad IP option! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00430)", "Dst IP session limit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00431)", "ZIP file blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00432)", "Java applet blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00433)", "EXE file blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00434)", "ActiveX control blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00435)", "ICMP fragment! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00436)", "Large ICMP packet! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00437)", "SYN and FIN bits! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00438)", "FIN but no ACK bit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00439)", "SYN-ACK-ACK Proxy DoS! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times."); load(m, "Critical (00440)", "Fragmented traffic! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times."); return m; } private static void load(PatternFinder<JuniperAttackLogPattern> m, String category, String patternString) { JuniperAttackLogPattern pattern = JuniperAttackLogPattern.from(category, patternString); m.register(pattern.getConstElements().get(0), pattern); } public Map<String, Object> parse(String line) { Set<JuniperAttackLogPattern> patterns = patternMap.find(line); for (JuniperAttackLogPattern pattern : patterns) { Map<String, Object> result = null; try { result = pattern.parse(line); if (result != null) return result; } catch (Throwable t) { logger.warn("araqne syslog parser: cannot parse juniper attack log", t); } } return null; } public Set<String> getPatternKeySet() { return patternMap.fingetPrints(); } }