JuniperAttackLogParser.java

/*
 * Copyright 2010 NCHOVY
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 * http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.araqne.logparser.syslog.juniper.attack;

import java.io.IOException;
import java.util.Map;
import java.util.Set;

import org.araqne.logparser.syslog.internal.PatternFinder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class JuniperAttackLogParser {
	private final Logger logger = LoggerFactory.getLogger(JuniperAttackLogParser.class.getName());
	private PatternFinder<JuniperAttackLogPattern> patternMap;

	public JuniperAttackLogParser() throws IOException {
		patternMap = loadPatterns();
	}

	public static JuniperAttackLogParser newInstance() {
		try {
			return new JuniperAttackLogParser();
		} catch (IOException e) {
			e.printStackTrace();
			return null;
		}
	}

	private static PatternFinder<JuniperAttackLogPattern> loadPatterns() throws IOException {
		PatternFinder<JuniperAttackLogPattern> m = PatternFinder.newInstance();

		load(m,
				"Emergency (00005)",
				"SYN flood! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Emergency (00006)",
				"Teardrop attack! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m, "Emergency (00007)",
				"Ping of Death! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00004)",
				"WinNuke attack! From <src-ip>:<src-port> to <dst-ip>:139, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00008)",
				"IP spoofing! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00009)",
				"Source Route IP option! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00010)",
				"Land attack! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m, "Alert (00011)",
				"ICMP flood! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00012)",
				"UDP flood! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto UDP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Alert (00016)",
				"Port scan! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m, "Alert (00017)",
				"Address sweep! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00032)",
				"Malicious URL! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00033)",
				"Src IP session limit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00412)",
				"SYN fragment! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00413)",
				"No TCP flag! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00414)",
				"Unknown protocol! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto <protocol> (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00415)",
				"Bad IP option! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00430)",
				"Dst IP session limit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00431)",
				"ZIP file blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00432)",
				"Java applet blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00433)",
				"EXE file blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00434)",
				"ActiveX control blocked! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m, "Critical (00435)",
				"ICMP fragment! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m, "Critical (00436)",
				"Large ICMP packet! From <src-ip> to <dst-ip>, proto 1 (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00437)",
				"SYN and FIN bits! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00438)",
				"FIN but no ACK bit! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00439)",
				"SYN-ACK-ACK Proxy DoS! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto TCP (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		load(m,
				"Critical (00440)",
				"Fragmented traffic! From <src-ip>:<src-port> to <dst-ip>:<dst-port>, proto { TCP | UDP | <protocol> } (zone <zone-name>, int <interface-name>). Occurred <none> times.");
		return m;
	}

	private static void load(PatternFinder<JuniperAttackLogPattern> m, String category, String patternString) {
		JuniperAttackLogPattern pattern = JuniperAttackLogPattern.from(category, patternString);
		m.register(pattern.getConstElements().get(0), pattern);
	}

	public Map<String, Object> parse(String line) {
		Set<JuniperAttackLogPattern> patterns = patternMap.find(line);
		for (JuniperAttackLogPattern pattern : patterns) {
			Map<String, Object> result = null;
			try {
				result = pattern.parse(line);
				if (result != null)
					return result;
			} catch (Throwable t) {
				logger.warn("araqne syslog parser: cannot parse juniper attack log", t);
			}
		}

		return null;
	}

	public Set<String> getPatternKeySet() {
		return patternMap.fingetPrints();
	}
}