File: //usr/share/filebeat/module/juniper/srx/ingest/ids.yml
description: Pipeline for parsing junipersrx firewall logs (ids pipeline)
processors:
#######################
## ECS Event Mapping ##
#######################
- set:
field: event.kind
value: event
- set:
field: event.outcome
value: success
if: "ctx.juniper?.srx?.tag != null"
- append:
field: event.category
value: network
- set:
field: event.kind
value: alert
if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)'
- append:
field: event.category
value: intrusion_detection
if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)'
- append:
field: event.type
value:
- info
- denied
- connection
if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)'
- append:
field: event.type
value:
- allowed
- connection
if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)'
- set:
field: event.action
value: flood_detected
if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: scan_detected
if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'"
- set:
field: event.action
value: sweep_detected
if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: fragment_detected
if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: spoofing_detected
if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'"
- set:
field: event.action
value: session_limit_detected
if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: attack_detected
if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: illegal_tcp_flag_detected
if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)'
- set:
field: event.action
value: tunneling_screen
if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')"
####################################
## ECS Server/Destination Mapping ##
####################################
- rename:
field: juniper.srx.destination_address
target_field: destination.ip
ignore_missing: true
if: "ctx.juniper?.srx?.destination_address != null"
- set:
field: server.ip
value: '{{destination.ip}}'
if: "ctx.destination?.ip != null"
- rename:
field: juniper.srx.nat_destination_address
target_field: destination.nat.ip
ignore_missing: true
if: "ctx.juniper?.srx?.nat_destination_address != null"
- convert:
field: juniper.srx.destination_port
target_field: destination.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.destination_port != null"
- set:
field: server.port
value: '{{destination.port}}'
if: "ctx.destination?.port != null"
- convert:
field: server.port
target_field: server.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.port != null"
- convert:
field: juniper.srx.nat_destination_port
target_field: destination.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.nat_destination_port != null"
- set:
field: server.nat.port
value: '{{destination.nat.port}}'
if: "ctx.destination?.nat?.port != null"
- convert:
field: server.nat.port
target_field: server.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.nat?.port != null"
- convert:
field: juniper.srx.bytes_from_server
target_field: destination.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.bytes_from_server != null"
- set:
field: server.bytes
value: '{{destination.bytes}}'
if: "ctx.destination?.bytes != null"
- convert:
field: server.bytes
target_field: server.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.bytes != null"
- convert:
field: juniper.srx.packets_from_server
target_field: destination.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.packets_from_server !=null"
- set:
field: server.packets
value: '{{destination.packets}}'
if: "ctx.destination?.packets != null"
- convert:
field: server.packets
target_field: server.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.server?.packets != null"
###############################
## ECS Client/Source Mapping ##
###############################
- rename:
field: juniper.srx.source_address
target_field: source.ip
ignore_missing: true
if: "ctx.juniper?.srx?.source_address != null"
- set:
field: client.ip
value: '{{source.ip}}'
if: "ctx.source?.ip != null"
- rename:
field: juniper.srx.nat_source_address
target_field: source.nat.ip
ignore_missing: true
if: "ctx.juniper?.srx?.nat_source_address != null"
- rename:
field: juniper.srx.sourceip
target_field: source.ip
ignore_missing: true
if: "ctx.juniper?.srx?.sourceip != null"
- convert:
field: juniper.srx.source_port
target_field: source.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.source_port != null"
- set:
field: client.port
value: '{{source.port}}'
if: "ctx.source?.port != null"
- convert:
field: client.port
target_field: client.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.port != null"
- convert:
field: juniper.srx.nat_source_port
target_field: source.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.nat_source_port != null"
- set:
field: client.nat.port
value: '{{source.nat.port}}'
if: "ctx.source?.nat?.port != null"
- convert:
field: client.nat.port
target_field: client.nat.port
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.nat?.port != null"
- convert:
field: juniper.srx.bytes_from_client
target_field: source.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.bytes_from_client != null"
- set:
field: client.bytes
value: '{{source.bytes}}'
if: "ctx.source?.bytes != null"
- convert:
field: client.bytes
target_field: client.bytes
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.bytes != null"
- convert:
field: juniper.srx.packets_from_client
target_field: source.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.juniper?.srx?.packets_from_client != null"
- set:
field: client.packets
value: '{{source.packets}}'
if: "ctx.source?.packets != null"
- convert:
field: client.packets
target_field: client.packets
type: long
ignore_failure: true
ignore_missing: true
if: "ctx.client?.packets != null"
- rename:
field: juniper.srx.username
target_field: source.user.name
ignore_missing: true
if: "ctx.juniper?.srx?.username != null"
#############################
## ECS Network/Geo Mapping ##
#############################
- rename:
field: juniper.srx.protocol_id
target_field: network.iana_number
ignore_missing: true
if: "ctx.juniper?.srx?.protocol_id != null"
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
if: "ctx.source?.geo == null"
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
if: "ctx.destination?.geo == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
field: source.nat.ip
target_field: source.geo
ignore_missing: true
if: "ctx.source?.geo == null"
- geoip:
field: destination.nat.ip
target_field: destination.geo
ignore_missing: true
if: "ctx.destination?.geo == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.nat.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
if: "ctx.source?.as == null"
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.nat.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
if: "ctx.destination?.as == null"
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
#############
## Cleanup ##
#############
- remove:
field:
- juniper.srx.destination_port
- juniper.srx.nat_destination_port
- juniper.srx.bytes_from_client
- juniper.srx.packets_from_client
- juniper.srx.source_port
- juniper.srx.nat_source_port
- juniper.srx.bytes_from_server
- juniper.srx.packets_from_server
ignore_missing: true
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'