diff --git a/salt/common/init.sls b/salt/common/init.sls
index 74256dabb..3ba2f1b11 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
# Add socore Group
socoregroup:
@@ -114,16 +116,9 @@ nginxtmp:
- group: 939
- makedirs: True
-# Start the core docker
-so-coreimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-core:HH1.1.3
-
so-core:
docker_container.running:
- - require:
- - so-coreimage
- - image: docker.io/soshybridhunter/so-core:HH1.1.3
+ - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }}
- hostname: so-core
- user: socore
- binds:
@@ -175,15 +170,9 @@ tgrafconf:
- template: jinja
- source: salt://common/telegraf/etc/telegraf.conf
-so-telegrafimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-telegraf:HH1.1.0
-
so-telegraf:
docker_container.running:
- - require:
- - so-telegrafimage
- - image: docker.io/soshybridhunter/so-telegraf:HH1.1.0
+ - image: {{ MASTER }}/soshybridhunter/so-telegraf:HH{{ VERSION }}
- environment:
- HOST_PROC=/host/proc
- HOST_ETC=/host/etc
@@ -236,15 +225,9 @@ influxdbconf:
- template: jinja
- source: salt://common/influxdb/etc/influxdb.conf
-so-influximage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-influxdb:HH1.1.0
-
so-influxdb:
docker_container.running:
- - require:
- - so-influximage
- - image: docker.io/soshybridhunter/so-influxdb:HH1.1.0
+ - image: {{ MASTER }}/soshybridhunter/so-influxdb:HH{{ VERSION }}
- hostname: influxdb
- environment:
- INFLUXDB_HTTP_LOG_ENABLED=false
@@ -400,14 +383,9 @@ dashboard-{{ SN }}:
{% endfor %}
{% endif %}
-# Install the docker. This needs to be behind nginx at some point
-so-grafanaimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-grafana:HH1.1.0
-
so-grafana:
docker_container.running:
- - image: docker.io/soshybridhunter/so-grafana:HH1.1.0
+ - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }}
- hostname: grafana
- user: socore
- binds:
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 74dd47a99..f846ff8ae 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,3 +1,5 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
# Curator
# Create the group
@@ -112,15 +114,9 @@ curdel:
- month: '*'
- dayweek: '*'
-so-curatorimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-curator:HH1.1.0
-
so-curator:
docker_container.running:
- - require:
- - so-curatorimage
- - image: docker.io/soshybridhunter/so-curator:HH1.1.0
+ - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }}
- hostname: curator
- name: so-curator
- user: curator
diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 999bbbd91..c5ba0d21b 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{% if grains['role'] == 'so-master' %}
{% set esalert = salt['pillar.get']('master:elastalert', '1') %}
@@ -109,15 +110,9 @@ elastaconf:
- group: 939
- template: jinja
-so-elastalertimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elastalert:HH1.1.1
-
so-elastalert:
docker_container.running:
- - require:
- - so-elastalertimage
- - image: docker.io/soshybridhunter/so-elastalert:HH1.1.1
+ - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }}
- hostname: elastalert
- name: so-elastalert
- user: elastalert
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 6036d5da8..aba6fd384 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -12,6 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{% if grains['role'] == 'so-master' %}
{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
@@ -104,15 +106,9 @@ eslogdir:
- group: 939
- makedirs: True
-so-elasticsearchimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
-
so-elasticsearch:
docker_container.running:
- - require:
- - so-elasticsearchimage
- - image: docker.io/soshybridhunter/so-elasticsearch:HH1.1.0
+ - image: {{ MASTER }}/soshybridhunter/so-elasticsearch:HH{{ VERSION }}
- hostname: elasticsearch
- name: so-elasticsearch
- user: elasticsearch
@@ -146,91 +142,3 @@ so-elasticsearch-pipelines-file:
so-elasticsearch-pipelines:
cmd.run:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
-
-# Tell the main cluster I am here
-#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
-
-# See if Freqserver is enabled
-{% if freq == 1 %}
-
-# Create the user
-fservergroup:
- group.present:
- - name: freqserver
- - gid: 935
-
-# Add ES user
-freqserver:
- user.present:
- - uid: 935
- - gid: 935
- - home: /opt/so/conf/freqserver
- - createhome: False
-
-# Create the log directory
-freqlogdir:
- file.directory:
- - name: /opt/so/log/freq_server
- - user: 935
- - group: 935
- - makedirs: True
-
-so-freqimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
-
-so-freq:
- docker_container.running:
- - require:
- - so-freqimage
- - image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- - hostname: freqserver
- - name: so-freqserver
- - user: freqserver
- - binds:
- - /opt/so/log/freq_server:/var/log/freq_server:rw
-
-
-{% endif %}
-
-{% if dstats == 1 %}
-
-# Create the group
-dstatsgroup:
- group.present:
- - name: domainstats
- - gid: 936
-
-# Add user
-domainstats:
- user.present:
- - uid: 936
- - gid: 936
- - home: /opt/so/conf/domainstats
- - createhome: False
-
-# Create the log directory
-dstatslogdir:
- file.directory:
- - name: /opt/so/log/domainstats
- - user: 936
- - group: 939
- - makedirs: True
-
-so-domainstatsimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
-
-so-domainstats:
- docker_container.running:
- - require:
- - so-domainstatsimage
- - image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- - hostname: domainstats
- - name: so-domainstats
- - user: domainstats
- - binds:
- - /opt/so/log/domainstats:/var/log/domain_stats
-
-
-{% endif %}
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index fce1c6b38..e4b11ef3c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-{%- set MASTER = grains['master'] %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
# Filebeat Setup
@@ -46,25 +47,9 @@ filebeatconfsync:
- group: 0
- template: jinja
-#filebeatcrt:
-# file.managed:
-# - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-# - source: salt://filebeat/files/filebeat.crt
-
-#filebeatkey:
-# file.managed:
-# - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-# - source: salt://filebeat/files/filebeat.key
-
-so-filebeatimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-filebeat:HH1.1.1
-
so-filebeat:
docker_container.running:
- - require:
- - so-filebeatimage
- - image: docker.io/soshybridhunter/so-filebeat:HH1.1.1
+ - image: {{ MASTER }}/soshybridhunter/so-filebeat:HH{{ VERSION }}
- hostname: so-filebeat
- user: root
- extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 917ee541e..1cf42a9a6 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,6 +1,8 @@
{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
{%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Fleet Setup
fleetcdir:
@@ -59,15 +61,9 @@ fleetdbpriv:
- user: fleetdbuser
- host: 172.17.0.0/255.255.0.0
-so-fleetimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-fleet:HH1.1.3
-
so-fleet:
docker_container.running:
- - require:
- - so-fleetimage
- - image: docker.io/soshybridhunter/so-fleet:HH1.1.3
+ - image: {{ MASTER }}/soshybridhunter/so-fleet:HH{{ VERSION }}
- hostname: so-fleet
- port_bindings:
- 0.0.0.0:8080:8080
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 73b29b501..9bde4065f 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -1,4 +1,6 @@
{% set MASTERIP = salt['pillar.get']('master:mainip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
hiveconfdir:
file.directory:
- name: /opt/so/conf/hive/etc
@@ -53,15 +55,9 @@ hiveesdata:
- user: 939
- group: 939
-so-thehive-esimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-thehive-es:HH1.1.1
-
so-thehive-es:
docker_container.running:
- - require:
- - so-thehive-esimage
- - image: docker.io/soshybridhunter/so-thehive-es:HH1.1.1
+ - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }}
- hostname: so-thehive-es
- name: so-thehive-es
- user: 939
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 9ec6f53f7..bba867c83 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# IDSTools Setup
idstoolsdir:
file.directory:
@@ -61,15 +62,9 @@ ruleslink:
- name: /opt/so/saltstack/salt/suricata/rules
- target: /opt/so/rules/nids
-so-idstoolsimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-idstools:HH1.1.0
-
so-idstools:
docker_container.running:
- - require:
- - so-idstoolsimage
- - image: docker.io/soshybridhunter/so-idstools:HH1.1.0
+ - image: {{ MASTER }}/soshybridhunter/so-idstools:HH{{ VERSION }}
- hostname: so-idstools
- user: socore
- binds:
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index 0d6262600..840986ff3 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -1,4 +1,5 @@
-{% set master = salt['grains.get']('master') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Add ES Group
kibanasearchgroup:
@@ -52,25 +53,17 @@ synckibanacustom:
- user: 932
- group: 939
-# File.Recurse for custom saved dashboards
-
-so-kibanaimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-kibana:HH1.1.1
-
# Start the kibana docker
so-kibana:
docker_container.running:
- - require:
- - so-kibanaimage
- - image: docker.io/soshybridhunter/so-kibana:HH1.1.1
+ - image: {{ MASTER }}/soshybridhunter/so-kibana:HH{{ VERSION }}
- hostname: kibana
- user: kibana
- environment:
- KIBANA_DEFAULTAPPID=dashboard/94b52620-342a-11e7-9d52-4f090484f59e
- - ELASTICSEARCH_HOST={{ master }}
+ - ELASTICSEARCH_HOST={{ MASTER }}
- ELASTICSEARCH_PORT=9200
- - MASTER={{ master }}
+ - MASTER={{ MASTER }}
- binds:
- /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw
- /opt/so/log/kibana:/var/log/kibana:rw
@@ -78,11 +71,3 @@ so-kibana:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- port_bindings:
- 0.0.0.0:5601:5601
-
-# Keep the setting correct
-#KibanaHappy:
-# cmd.script:
-# - shell: /bin/bash
-# - runas: socore
-# - source: salt://kibana/bin/keepkibanahappy.sh
-# - template: jinja
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index c2b80346f..88aac08d6 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Logstash Section - Decide which pillar to use
{% if grains['role'] == 'so-sensor' %}
@@ -152,16 +153,9 @@ lslogdir:
- group: 939
- makedirs: True
-# Add the container
-so-logstashimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-logstash:HH1.1.1
-
so-logstash:
docker_container.running:
- - require:
- - so-logstashimage
- - image: docker.io/soshybridhunter/so-logstash:HH1.1.1
+ - image: {{ MASTER }}/soshybridhunter/so-logstash:HH{{ VERSION }}
- hostname: so-logstash
- name: so-logstash
- user: logstash
diff --git a/salt/master/init.sls b/salt/master/init.sls
index 8bd4d3d3c..f6ad5d70a 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
{% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %}
{% if masterproxy == 1 %}
@@ -55,16 +56,10 @@ acngcopyconf:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://master/files/acng/acng.conf
-so-acngimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-acng:HH1.1.0
-
# Install the apt-cacher-ng container
so-aptcacherng:
docker_container.running:
- - require:
- - so-acngimage
- - image: docker.io/soshybridhunter/so-acng:HH1.1.0
+ - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }}
- hostname: so-acng
- port_bindings:
- 0.0.0.0:3142:3142
diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index a0136ae9b..b964d7d37 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -1,6 +1,8 @@
{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %}
{%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# MySQL Setup
mysqlpkgs:
pkg.installed:
@@ -48,15 +50,9 @@ mysqldatadir:
- group: 939
- makedirs: True
-so-mysqlimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-mysql:HH1.1.0
-
so-mysql:
docker_container.running:
- - require:
- - so-mysqlimage
- - image: docker.io/soshybridhunter/so-mysql:HH1.1.0
+ - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }}
- hostname: so-mysql
- user: socore
- port_bindings:
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index a49dc00e3..f5a4e4924 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -12,7 +12,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# PCAP Section
# Create the logstash group
@@ -94,15 +95,9 @@ stenolog:
- group: 941
- makedirs: True
-so-stenoimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-steno:HH1.1.3
-
so-steno:
docker_container.running:
- - require:
- - so-stenoimage
- - image: docker.io/soshybridhunter/so-steno:HH1.1.3
+ - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }}
- network_mode: host
- privileged: True
- port_bindings:
diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls
index 770316ab9..6a129f84b 100644
--- a/salt/playbook/init.sls
+++ b/salt/playbook/init.sls
@@ -24,15 +24,9 @@ navigatorconfig:
- makedirs: True
- template: jinja
-so-playbookimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-playbook:HH1.1.3
-
so-playbook:
docker_container.running:
- - require:
- - so-playbookimage
- - image: docker.io/soshybridhunter/so-playbook:HH1.1.3
+ - image: {{ MASTER }}/soshybridhunter/so-playbook:HH{{ VERSION }}
- hostname: playbook
- name: so-playbook
- binds:
@@ -40,15 +34,9 @@ so-playbook:
- port_bindings:
- 0.0.0.0:3200:3000
-so-navigatorimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-navigator:HH1.1.1
-
so-navigator:
docker_container.running:
- - require:
- - so-navigatorimage
- - image: docker.io/soshybridhunter/so-navigator:HH1.1.1
+ - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }}
- hostname: navigator
- name: so-navigator
- binds:
@@ -56,7 +44,7 @@ so-navigator:
- /opt/so/conf/playbook/nav_layer_playbook.json:/nav-app/src/assets/playbook.json:ro
- port_bindings:
- 0.0.0.0:4200:4200
-
+
/usr/sbin/so-playbook-sync:
cron.present:
- identifier: so-playbook-sync
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 18178ce3b..690f2a7c9 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -1,4 +1,4 @@
-# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -13,6 +13,8 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
{% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Redis Setup
redisconfdir:
@@ -44,15 +46,9 @@ redisconfsync:
- group: 939
- template: jinja
-so-redisimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-redis:HH1.1.0
-
so-redis:
docker_container.running:
- - require:
- - so-redisimage
- - image: docker.io/soshybridhunter/so-redis:HH1.1.0
+ - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }}
- hostname: so-redis
- user: socore
- port_bindings:
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 19fcd8b4a..8339c3ba2 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
sensoronidir:
file.directory:
- name: /opt/so/conf/sensoroni
@@ -27,15 +30,9 @@ sensoronisync:
- group: 939
- template: jinja
-so-sensoroniimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-sensoroni:HH1.1.3
-
so-sensoroni:
docker_container.running:
- - require:
- - so-sensoroniimage
- - image: docker.io/soshybridhunter/so-sensoroni:HH1.1.3
+ - image: {{ MASTER }}/soshybridhunter/so-sensoroni:HH{{ VERSION }}
- hostname: sensoroni
- name: so-sensoroni
- binds:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 578789a76..d03ed9f04 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -1,3 +1,6 @@
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
+
soctopusdir:
file.directory:
- name: /opt/so/conf/soctopus
@@ -44,15 +47,9 @@ navigatordefaultlayer:
- replace: False
- template: jinja
-so-soctopusimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-soctopus:HH1.1.3
-
so-soctopus:
docker_container.running:
- - require:
- - so-soctopusimage
- - image: docker.io/soshybridhunter/so-soctopus:HH1.1.3
+ - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }}
- hostname: soctopus
- name: so-soctopus
- binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index a30010d5e..cf821ac47 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -14,7 +14,9 @@
# along with this program. If not, see .
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{% set BROVER = salt['pillar.get']('static:broversion', '') %}
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Suricata
@@ -70,15 +72,9 @@ suriconfigsync:
- group: 940
- template: jinja
-so-suricataimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
-
so-suricata:
docker_container.running:
- - require:
- - so-suricataimage
- - image: docker.io/soshybridhunter/so-suricata:HH1.1.1
+ - image: {{ MASTER }}/soshybridhunter/so-suricata:HH{{ VERSION }}
- privileged: True
- environment:
- INTERFACE={{ interface }}
diff --git a/salt/syslog-ng/files/patterndb.xml b/salt/syslog-ng/files/patterndb.xml
deleted file mode 100644
index a1b3cdad4..000000000
--- a/salt/syslog-ng/files/patterndb.xml
+++ /dev/null
@@ -1,2333 +0,0 @@
-
-
- %FWSM
-
-
-
- Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@
- Deny @ESTRING:: @@ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@
- Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@
-
-
-
- Deny inbound tcp src OUTSIDE:2.116.180.66/3116 dst INSIDE:10.0.0.0/445
-
- tcp
- OUTSIDE
- 2.116.180.66
- 3116
- INSIDE
- 10.0.0.0
- 445
-
-
-
-
-
-
- Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@
-
-
-
-
- @IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@
- @IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@
- Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface
-
-
-
- 192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php
-
- 192.168.1.1
- 10.0.0.0
- www.example.com
- wp-content/plugins/wp-spamfree/img/wpsf-img.php
-
-
-
- Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside
-
- www.example.com
- feedout/content
- 192.168.1.1
- 72.246.55.49
-
-
-
-
-
-
- Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@
-
-
-
- Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service
- 10.245.102.86
- Produccion
- pepe
-
-
- Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested
- 10.229.201.171
- Acceso
- juan
-
-
-
-
-
-
- %ASA
-
-
-
- Inbound @ESTRING:i0: @connection denied from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@
- Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@
- Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @
- Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@ESTRING::/@@NUMBER:i4:@ by access-group @ESTRING:s2: @
- Deny @ESTRING:i0: @src @ESTRING:s0::@@ESTRING::/@@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @
- Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@ dst @ESTRING:s1::@@IPv4:i3:@ (type @NUMBER::@, code @NUMBER::@) by access-group @ESTRING:s2: @
- Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@
- Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2: @to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @
- Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@
- Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@
- Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface @ANYSTRING:s0:@
- Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @
- Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@
- Deny IP from @ESTRING:i1: @to @ESTRING:i3: @
- @ESTRING:i0: @access discarded from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@
-
-
-
-
- Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@
- access-list @ESTRING:: @permitted @ESTRING:i0: @@ESTRING:s0:/@@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:s1:/@@ESTRING:i3:(@@NUMBER:i4:@) hit-cnt @NUMBER:i5:@
- @ESTRING:i0: @access permitted from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@
-
-
-
- access-list access_out permitted tcp INSIDE/10.221.221.21(52427) -> OUTSIDE/10.222.222.22(80) hit-cnt 1 first hit [0x487d4278, 0x0]
- tcp
- 10.221.221.21
- 52427
- 10.222.222.22
- 80
- 1
- INSIDE
- OUTSIDE
-
-
- Built inbound TCP connection 740617324 for inside:10.21.21.221/4087 (10.21.21.221/4087) to CWWAN:172.17.6.80/8192 (172.17.6.80/8192)
- tcp
- 10.221.221.21
- 4087
- 172.17.6.80
- 8192
- INSIDE
- OUTSIDE
-
-
-
-
-
- @IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@
- @IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@
- Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface
-
-
-
- 192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php
-
- 192.168.1.1
- 10.0.0.0
- www.example.com
- wp-content/plugins/wp-spamfree/img/wpsf-img.php
-
-
-
- Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside
-
- www.example.com
- feedout/content
- 192.168.1.1
- 72.246.55.49
-
-
-
-
-
-
- Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@
-
-
-
- Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service
- 10.245.102.86
- Produccion
- pepe
-
-
- Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested
- 10.229.201.171
- Acceso
- juan
-
-
-
-
-
- FTP connection from @ESTRING:s0::@@ESTRING:i0:/@@NUMBER:i1:@ to @ESTRING:s1::@@ESTRING:i2:/@@NUMBER:i3:@, user @ESTRING:s2: @@ESTRING:s3: @@ANYSTRING:s4:@
-
-
-
-
- Cleared @ESTRING:i0: @urgent flag from @ESTRING:s0::@@ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s1::@@ESTRING:i3:/@@NUMBER:i4:@
- regular translation creation failed for @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @(type @NUMBER:i2:@, code @NUMBER:i4:@
-
-
-
-
-
- %PIX
-
-
-
- Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@
- Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@
-
-
-
-
- Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@
-
-
-
- Teardown TCP connection 2050472353 for outside:10.65.200.34/1252 to inside:10.0.0.0/135 duration 0:00:00 bytes 1476 TCP FINs
-
- TCP
- outside
- 10.65.200.34
- 1252
- inside
- 10.0.0.0
- 135
- 0:00:00
- 1476
-
-
-
-
-
-
- Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@
-
-
-
- Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service
- 10.245.102.86
- Produccion
- pepe
-
-
- Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested
- 10.229.201.171
- Acceso
- juan
-
-
-
-
-
-
- %IOSXE-6-PLATFORM
-
-
-
- @ESTRING::%NAT-6-LOG_TRANSLATION: Created Translation @@ESTRING:i0: @@IPv4:i1:@:@NUMBER:i2:@ @IPv4::@:@NUMBER::@ @IPv4::@:@NUMBER::@ @IPv4:i3:@:@NUMBER:i4:@
-
-
-
- F0: cpp_cp: QFP:0.0 Thread:031 TS:00000428205839105179 %NAT-6-LOG_TRANSLATION: Created Translation TCP 1.1.1.1:4227 1.1.1.1:1043 2.2.2.2:80 2.2.2.2:80 0
-
- TCP
- 1.1.1.1
- 4227
- 2.2.2.2
- 80
-
-
-
-
-
-
-
- %SEC-6-IPACCESSLOGS
-
-
-
- list @ESTRING::denied @@IPv4:i3:@
-
-
-
- list REMOTE-MGMT denied 1.1.1.1 1 packet [0x7EAD30FB]
-
- 1.1.1.1
-
-
-
-
-
-
-
- %FMANFP-6-IPACCESSLOGP
-
-
-
- F@ESTRING::denied @@ESTRING:i0: @@IPv4:i1:@(@NUMBER:i2:@) -> @IPv4:i3:@(@NUMBER:i4:@
-
-
-
- F0: fman_fp_image: list IPV4-INTERNET-OUTBOUND denied udp 1.1.1.1(49610) -> 2.2.2.2(53), 1 packet
-
- udp
- 1.1.1.1
- 49610
- 2.2.2.2
- 53
-
-
-
-
-
-
-
- %FMANFP-6-IPV6ACCESSLOGP
-
-
-
- F@ESTRING::denied @@ESTRING:i0: @@ESTRING:s0:(@@NUMBER:i2:@) -> @ESTRING:s1:(@@NUMBER:i4:@
-
-
-
- F0: fman_fp_image: list IPV6-INTERNET-INBOUND denied udp ffe:4e0::(38346) -> ffe:4e0::(40322), 1 packet
-
- udp
- ffe:4e0::
- 38346
- ffe:4e0::
- 40322
-
-
-
-
-
-
-
- MSWinEventLog
- Application
- Security
- System
-
-
-
- @ESTRING::|@@ESTRING:i0:|@@ESTRING::Account Name@: @ESTRING:s1: @@ESTRING::Account Domain@: @ESTRING:s2: @
- @STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@ @ESTRING:i0: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:s2: @@ESTRING:s3: @@ESTRING:s4: @@ESTRING:s5: @@ESTRING:: @@ESTRING:: @
- @STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@|Logon Failure:@ESTRING:: @Reason: @ESTRING:s2: @User Name: @ESTRING:s1: @
- @STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@
- @STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING@
-
-
-
-
-
- Application
- Security
- System
-
-
-
- @NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@
- @NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@
- @NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access
- @NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@
- @NUMBER:i0:@: @ESTRING:s0::@
- @NUMBER:i0:@: @ANYSTRING::@
-
-
-
- 7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.
-
- 7035
- NT AUTHORITYSYSTEM
-
-
-
- 1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
- 1202
- Security policies were propagated with warning. 0x4b8
-
-
-
-
-
-
-
-
-
-
- @NUMBER:i0:@: @ESTRING::Account Name@@ESTRING::Account Name@: @ESTRING:s1: @@ESTRING::Account Domain@: @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@
- @NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@
- @NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@
- @NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access
- @NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@
- @NUMBER:i0:@: @ESTRING:s0::@
- @NUMBER:i0:@: @ANYSTRING::@
-
-
-
- 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: MYDOMAIN-DC-1$ Account Domain: MYDOMAIN Logon ID: 0x3e7 Logon Type: 3 New Logon: Security ID: S-1-5-21-3113823999-9998615402-9997257512-9966 Account Name: myuser Account Domain: MYDOMAIN Logon ID: 0x2339f787 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\\Windows\\System32\\lsass.exe Network Information: Workstation Name: MYDOMAIN-DC-1 Source Network Address: 172.24.248.117 Source Port: 54265 Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.
-
- 4624
- myuser
- MYDOMAIN
- 172.24.248.117
-
-
-
- 7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.
-
- 7035
- NT AUTHORITYSYSTEM
-
-
-
- 1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
- 1202
- Security policies were propagated with warning. 0x4b8
-
-
- 5140: A network share object was accessed. Subject: Security ID: S-1-5-18 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x3e7 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 49206 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
- 5140
- MYUSER
- MYDOMAIN
- 192.168.148.5
- \\*\ADMIN$
- \??\C:\Windows
-
-
- 5140: A network share object was accessed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1e05bb9b Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 65518 Share Information: Share Name: \\\\*\\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
- 5140
- ANONYMOUS LOGON
- NT AUTHORITY
- 192.168.148.5
- \\\\*\\IPC$
-
-
- 5145: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-518783779-1162290680-929701000-2097 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x19789189 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 4235 Share Information: Share Name: \\*\SHARE_NAME Share Path: \??\C:\SHARE_PATH Relative Target Name: MYFILE Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;FA;;;WD)
- 5145
- MYUSER
- MYDOMAIN
- 192.168.148.5
- \\*\SHARE_NAME
- \??\C:\SHARE_PATH
- MYFILE
-
-
-
-
-
-
- GenericLog
-
-
-
- @NUMBER::@,@ANYSTRING::@
-
- 0
- dhcplog
- dhcplog
-
-
-
-
-
- 30,11/16/10,12:25:04,DNS Update Request,x.x.x.x,hostname,,
- 0
- dhcplog
- dhcplog
-
-
- 11,11/16/10,12:25:04,Renew,x.x.x.x,hostname,macaddr,
- 0
- dhcplog
- dhcplog
-
-
-
- 4
-
-
-
-
-
-
-
- @ESTRING::Event ID@: @NUMBER:i0:@ <Data Name='TargetUserName'>@ESTRING:s0:<@
- @ESTRING::Event ID@: @NUMBER:i0:@
-
-
- Mar 9 22:35:10 IU-MSSG-ADSDC01.domain Event ID: 5157 <Data Name='ProcessID'>180</Data><Data Name='Application'>\device\harddiskvolume2\windows\system32\svchost.exe</Data><Data Name='Direction'>%14592</Data><Data Name='SourceAddress'>10.68.239.128</Data><Data Name='SourcePort'>500</Data><Data Name='DestAddress'>10.166.175.52</Data><Data Name='DestPort'>500</Data><Data Name='Protocol'>17</Data><Data Name='FilterRTID'>73486</Data><Data Name='LayerName'>%14610</Data><Data Name='LayerRTID'>44</Data><Data Name='RemoteUserID'>S-1-0-0</Data><Data Name='RemoteMachineID'>S-1-0-0</Data>
- 5157
-
-
- Mar 9 22:35:10 IU-MSSG-ADSDC04.domain Event ID: 4769 <Data Name='TargetUserName'>user@domain</Data><Data Name='TargetDomainName'>domain</Data><Data Name='ServiceName'>IU-MSSG-ADSDC04$</Data><Data Name='ServiceSid'>S-1-5-21-1085031214-1292428093-527237240-496356</Data><Data Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x12</Data><Data Name='IpAddress'>::ffff:10.160.118.87</Data><Data Name='IpPort'>54144</Data><Data Name='Status'>0x0</Data><Data Name='LogonGuid'>{CD66EF59-4404-F056-C1CC-5E12BE6B978E}</Data><Data Name='TransmittedServices'>-</Data>
- 4769
- user@domain
-
-
-
-
-
-
-
- url
-
-
-
-
-
-
- @IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@
- @IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@
- @IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@
- @IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@NUMBER:i5@
- @IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@
- @IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@
- @IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|
- @IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@
-
- @ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@IPv4:i0:@:@NUMBER:i1:@ -> @IPv4:i2:@:@NUMBER:i3:@
-
- @ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@ESTRING:s3: [**] @@ESTRING:s0: [**] @@ESTRING:: [**] @@ESTRING:i2: [**] @@NUMBER:i3:@ bytes [**] @IPv4:i0:@:@NUMBER:i4:@ -> @IPv4:i1:@:@NUMBER:i5:@
-
- @IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@
-
- @ESTRING:s1: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@
-
-
-
- 192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200|46142|8583
-
- 192.168.1.1
- 10.0.0.0
- GET
- ajax.googleapis.com
- /ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
- http://slickdeals.net/
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- ,com,googleapis.com,ajax.googleapis.com
- 200
- 46142
- 8583
-
-
-
- 192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||8583
-
- 192.168.1.1
- 10.0.0.0
- GET
- ajax.googleapis.com
- /ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
- http://slickdeals.net/
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- ,com,googleapis.com,ajax.googleapis.com
- 200
-
- 8583
-
-
-
- 192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||
-
- 192.168.1.1
- 10.0.0.0
- GET
- ajax.googleapis.com
- /ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
- http://slickdeals.net/
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- ,com,googleapis.com,ajax.googleapis.com
- 200
-
-
-
-
-
- 127.0.0.1 - - [09/Dec/2012:23:20:27 -0600] "HEAD / HTTP/1.1" 200 334 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11"
-
- 127.0.0.1
- HEAD
- /
- -
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11
- -
- 200
- 334
-
-
-
-
-
-
-
- snort
-
-
-
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
-
-
-
- [1:485:5] ICMP Destination Unreachable Communication Administratively Prohibited [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.0.0.0
- 1:485:5
- ICMP Destination Unreachable Communication Administratively Prohibited
- Misc activity
- 3
- ICMP
- 192.168.1.1
- 10.0.0.0
-
-
-
-
-
- @QSTRING:s0:[]@ @ESTRING:s1: [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
-
-
- [1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 [Classification: Potentially Bad Traffic] [Priority: 2]: <eth1> {TCP} 192.168.193.245:38472 -> 192.168.193.1:5432
- 1:2010939:2
- ET POLICY Suspicious inbound to PostgreSQL port 5432
- Potentially Bad Traffic
- eth1
- 2
- TCP
- 192.168.193.245
- 38472
- 192.168.193.1
- 5432
-
-
-
-
-
- @QSTRING:s0:[]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
-
- @QSTRING:s0:[]@ [@ESTRING::]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:<>@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
-
-
-
-
-
- @NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@ -> @IPv4:i4:@
-
-
- 20$pdb_extracted_shortyear-$pdb_extracted_month-$pdb_extracted_day $pdb_extracted_hour:$pdb_extracted_minute:$pdb_extracted_second
-
-
-
-
-
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ ->@IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ ->@IPv4:i4:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ ->@IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ ->@IPv4:i4:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@-> @IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@
- @ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] {@@ESTRING:i1:}@@IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@
-
-
-
-
-
-
- sshd
-
-
-
-
- Accepted @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@
-
-
-
-
-
- Failed @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@
- Failed @ESTRING:s0: @for invalid user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@
- Failed @ESTRING:s0: @for illegal user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@
-
-
-
-
-
- pam_unix(sshd:session): session closed for user @ANYSTRING:s0:@
- session closed for user @ANYSTRING:s0:@
-
-
-
-
-
- bro_dns
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@
-
-
-
- 1318443095.831281|0L5Ro2iPit1|10.0.0.0|23657|69.22.154.225|53|udp|31608|e2932.c.akamaiedge.net|1|C_INTERNET|1|A|0|NOERROR|F|T|F|F|F|1|20.000000|23.0.124.9
-
- 10.0.0.0
-
- 23657
-
- 69.22.154.225
-
- 53
-
- udp
-
- e2932.c.akamaiedge.net
-
- 23.0.124.9
-
-
-
-
-
-
- bro_notice
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING::|@@IPv4::@|@IPv4::@|@NUMBER::@|@ANYSTRING::@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@
-
-
- /$s2
-
-
-
-
- @ESTRING::|@@ESTRING::|@@IPv4:i0@|@NUMBER:i1@|@IPv4:i2@|@NUMBER:i3@|@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:@|@IPv4:@|@NUMBER:@|@ANYSTRING::@
- @ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@-|-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|@NUMBER:i3@|@ANYSTRING::@
- @ESTRING::|@-|-|@ESTRING:i1:|@-|@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|@IPv4:i2@|-|-|@ANYSTRING::@
- @ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|-|-|@ANYSTRING::@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@-|-|-|-|@ANYSTRING::@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@udp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@icmp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@
- @ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|-|-|-|-@ANYSTRING::@
- @ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|@IPv4:i0:@|@ANYSTRING::@
-
-
-
-
-
- bro_files
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@
-
-
-
-
-
- bro_smtp
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@
-
-
-
- 1320612601.697404|SFiDYDwOSl8|10.0.0.0|45765|66.94.25.228|25|@woMgeVXDE|server.example.com|<prvs=284e51a33=user@domain.com>|<user@example.com>|Sun, 6 Nov 2011 14:50:00 -0600|"user" <user@domain.com>|"'user@example.com'" <user@example.com>|-|<F3AC33A1A5033546890246040DCA32E303CDF29D5FE6@mailserver.domain.com>|<user@example.com>|RE: some subject|-|from mailserver.domain.com ([10.0.0.0]) with mapi; Sun, 6 Nov 2011 14:50:01 -0600|from mailserver.domain.com ([10.0.0.0]) by mailserver.domain.com with ESMTP/TLS/RC4-MD5; 06 Nov 2011 14:50:01 -0600|250 2.0.0 10wk4g5v6k-1 Message accepted for delivery|192.168.1.1,10.0.0.0|-|F
-
- 10.0.0.0
-
- 45765
-
- 66.94.25.228
-
- 25
-
- server.example.com
-
- "user" <user@domain.com>
-
- "'user@example.com'" <user@example.com>
-
- RE: some subject
-
- 250 2.0.0 10wk4g5v6k-1 Message accepted for delivery
-
- 192.168.1.1,10.0.0.0
-
-
-
-
-
-
- bro_smtp_entities
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:@
-
-
-
- 1320613389.303478|zQQiHb1x3fj|216.33.127.82|37295|10.0.0.0|25|@VqmVdbY2Mm3|CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf|54399|application/pdf|-|-|-
-
- 216.33.127.82
-
- 37295
-
- 10.0.0.0
-
- 25
-
- CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf
-
- 54399
-
- application/pdf
-
- -
-
- -
-
- -
-
-
-
-
-
-
- bro_ssl
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING::|@@ESTRING:i4:|@@ANYSTRING::@
-
-
-
- 1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|443|TLSv10|TLS_RSA_WITH_RC4_128_MD5|-|48eacd8fda1a4f48188288ce09ba84d93b8b40aaafdeafd8bace5a1ba9f7c3ce|CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US|1286341200.000000|1381035599.000000|04918ecb442ca62e6e8f29272b9cff42|ok
-
- 10.0.0.0
-
- 19427
-
- 80.175.58.76
-
- 443
-
- -
-
- CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US
-
- 1381035599.000000
-
-
-
-
-
-
- bro_http
-
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING:i5:|@@ESTRING:i4:|@
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:i5:|@@ESTRING::|@@ESTRING:i4:|@
-
-
-
- 1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|GET|www.google.com|/|http://example.com|myagent|-|-|1000|0|200|
-
- 10.0.0.0
-
- 19427
-
- 80.175.58.76
-
- 80
-
- GET
-
- www.google.com
-
- /
-
- http://example.com
-
- myagent
-
- 200
-
- 1000
-
-
-
-
-
-
- bro_conn
-
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i5:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING:s4:|@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@
-
-
-
- 1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|tcp|...
-
- 10.0.0.0
-
- 19427
-
- 80.175.58.76
-
- 80
-
- tcp
-
-
- 1355091922.994655|fOFtbJ91cG7|192.168.1.103|52949|206.12.19.9|80|tcp|http|3.970039|2829|574725|SF|-|3706|ShADadFf|200|14697|403|591995
-
- 192.168.1.103
-
- 52949
-
- 206.12.19.9
-
- 80
-
- tcp
-
- http
-
- 3.970039
-
- 2829
-
- 574725
-
- 200
-
- 403
-
-
-
-
-
-
- kernel
-
-
-
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=webfilter pri=@ESTRING:: @vd=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @serial=@ESTRING:: @user=@ESTRING:s0: @group=@ESTRING:s1: @src=@IPv4:i0:@ sport=@ESTRING:i1: @src_port=@ESTRING:: @src_int=@ESTRING:: @dst=@IPv4:i2:@ dport=@ESTRING:i3: @dst_port=@ESTRING:: @dst_int=@ESTRING:: @service=@ESTRING:s2: @hostname=@ESTRING:s3: @profiletype=@ESTRING:: @profile=@ESTRING:: @status=@ESTRING:s4: @req_type=@ESTRING:: @url=@ESTRING:s5: @method=@ESTRING:: @class=@ESTRING:: @cat=@ESTRING:i4: @cat_desc=@QSTRING::""@ carrier_ep=@ESTRING:: @msg=@QSTRING::""@ class_desc=@ESTRING:: @profilegroup=
-
-
-
- date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312 subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1 serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163 src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE status=passthrough req_type=referral url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41 cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an allowed category in policy" class_desc=N/A profilegroup=N/A
-
- 10.1.2.3
- 2163
- 4.3.2.1
- 80
- USER
- AD/GROUP
- http
- col.stb.s-msn.com
- passthrough
- /i/79/65F987C952BDA0E84AE52464ADD59.jpg
- 41
-
-
-
-
-
-
-
- kernel
-
-
-
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=traffic pri=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4@ app_type=@ESTRING:: @duration=@NUMBER:i5@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @src_int=@ESTRING:: @dst_int=@ESTRING:: @SN=@ESTRING:: @app=@ESTRING:: @app_cat=@ESTRING:: @carrier_ep=@ESTRING:: @vpn=@ESTRING:: @status=@ESTRING:: @user=@ESTRING:: @group=@ESTRING:: @shaper_sent_name=@ESTRING:: @shaper_rcvd_name=@ESTRING:: @perip_name
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @transip=@ESTRING:: @transport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@QSTRING::""@ dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@QSTRING::""@ SN=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dst_country=@QSTRING::""@ src_country=@QSTRING::""@ service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg
-
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@
- date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@
-
-
-
- date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3 srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80 tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6 src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A
-
- 10.1.2.3
- 53624
- 4.3.2.2
- 80
- 6
- 120
-
-
-
-
-
-
-
-
-
-
- @QSTRING:i0:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING:s0:""@ @QSTRING:s1:""@ @QSTRING:s2:""@ @QSTRING:s3:""@ @QSTRING:s4:""@ @QSTRING::""@ @QSTRING:i1:""@ @QSTRING:i2:""@ @QSTRING:i3:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ "message_info: @ESTRING:s5:"@ @QSTRING::""@ @QSTRING::""@
-
-
-
- "1" "12Feb2012" "23:59:04" "bond0.30" "FW-INT-CHCKPNT1" "Log" "Drop" "ntp-udp" "ntp-udp" "192.168.1.210" "10.133.3.10" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""
-
- 1
- bond0.30
- FW-INT-CHCKPNT1
- Log
- Drop
- ntp-udp
- 192.168.1.210
- 10.133.3.10
- udp
- Address spoofing
-
-
-
-
-
-
-
-
-
-
- @NUMBER::@:@NUMBER::@,@NUMBER::@,@ESTRING::,@url,@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING::,@@ESTRING:s2:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@1@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@"@ESTRING:s3:/@@ESTRING:s4:"@,(@NUMBER::@),@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s5:,@
-
- @ESTRING::,@ TYPE: THREAT, SUBTYPE: url, THREAT_ID: (@NUMBER::@), ACTION: @ESTRING::,@ RULE: @ESTRING::,@ MISC: "@ESTRING:s3:/@@ESTRING:s4:"@
-
- /$s4
-
-
-
-
- 46:31,002501000259,THREAT,url,0,2012/02/21 09:46:31,192.168.1.1,208.71.123.129,0.0.0.0,0.0.0.0,USERS-Network-AllowAll-to-EXT,domain\joeschmo,,web-browsing,vsys1,Users,External,ethernet1/3,ethernet1/5,forward-syslog-to-elsa,2012/02/2109:46:30,156730,1,50836,80,0,0,0x8000,tcp,alert,"network.realmedia.com/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75",(9999),All,informational,client-to-server,19630699,0x0,United States,United States,0,text/xml
-
- 192.168.1.1
- 208.71.123.129
- USERS-Network-AllowAll-to-EXT
- domain\joeschmo
- web-browsing
- 156730
- network.realmedia.com
- /RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75
- United States
-
-
-
-
-
-
-
-
-
-
- @NUMBER::@:@NUMBER::@,@ESTRING::TRAFFIC,@@ESTRING:s5:,@@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@@ESTRING:i3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i4:,@@ESTRING::,@@ESTRING:i5:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@
-
- @ESTRING::,@ TYPE: TRAFFIC, SUBTYPE: @ESTRING:s5:,@ RULE: @ESTRING::,@ ACTION: @ESTRING::,@ INBOUND_INTERFACE: @ESTRING:s2:,@ FROM_ZONE: @ESTRING:s0:,@ SOURCE_USER: @ESTRING::,@ SOURCE_IP: @ESTRING:i0:,@ NAT_SOURCE_IP: @ESTRING::,@ SOURCE_PORT: @ESTRING:i2:,@ OUTBOUND_INTERFACE: @ESTRING:s3:,@ TO_ZONE: @ESTRING:s1:,@ DESTINATION_USER: @ESTRING::,@ DESTINATION_IP: @ESTRING:i1:,@ DESTINATION_PORT: @ESTRING:i3:,@ DESTINATION_LOCATION: @ESTRING:s4:,@ CATEGORY: @ESTRING:s5:,@ PROTOCOL: @ESTRING:i4:,@ APPLICATION: @ESTRING::,@ ELAPSED_TIME: @ESTRING::,@ BYTES: @ESTRING:i5:,@ BYTES_RECEIVED: @ESTRING::,@ BYTES_SENT: @ESTRING::,@ TOTAL_PACKETS: @ESTRING::,@ PACKETS_RECEIVED: @ESTRING::,@ PACKETS_SENT: @ESTRING::,@ REPEAT_COUNT_5sec:
-
-
-
- 46:31,002501000259,TRAFFIC,end,0,2012/02/21 09:46:31,10.10.10.10,192.168.1.1,0.0.0.0,0.0.0.0,ALL-http-https-to-BASTION,,,web-browsing,vsys1,External,Bastion,ethernet1/5,ethernet1/2,forward-syslog-to-elsa,2012/02/21 09:46:30,632179,1,4074,80,0,0,0x0,tcp,allow,2986,1493,1493,19,2012/02/21 09:45:57,31,not-resolved,0,453403179,0x0,United States,United States,0,10,9
-
- 10.10.10.10
- 192.168.1.1
- External
- Bastion
- ethernet1/5
- ethernet1/2
- 4074
- 80
- tcp
- 2986
- United States
- end
-
-
-
-
-
-
-
-
-
-
- @NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@@ESTRING::Account Name@@ESTRING::Account Name@: @ESTRING:s1: @@ESTRING::Account Domain@: @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@
-
- $pdb_extracted_program
-
-
-
-
- 2013 Jan 18 20:25:08 (host.example.com) 172.20.0.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: myuser: MYDOMAIN: MYDOMAIN-DC-1.example.com: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: MYDOMAIN-DC-1$ Account Domain: MYDOMAIN Logon ID: 0x3e7 Logon Type: 3 New Logon: Security ID: S-1-5-21-3113823999-9998615402-9997257512-9966 Account Name: myuser Account Domain: MYDOMAIN Logon ID: 0x2339f787 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\\Windows\\System32\\lsass.exe Network Information: Workstation Name: MYDOMAIN-DC-1 Source Network Address: 172.24.248.117 Source Port: 54265 Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.
-
- 4624
- myuser
- MYDOMAIN
- 172.24.248.117
-
-
-
-
-
-
- @NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@
-
- $pdb_extracted_program
-
-
-
-
- 2012 Feb 20 09:04:41 (serverb) 123.123.40.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: bgreen@DOM1.A.COM: DOM1.A.COM: serverb.dom1.a.com: A Kerberos service ticket was requested. Account Information: Account Name: bgreen@DOM1.A.COM Account Domain: DOM1.A.COM Logon GUID: {CBB22EBF-4367-CB43-E5AC-2A8C13FD9641} Service Information: Service Name: SERVERC$ Service ID: S-1-5-21-117536760-2556423787-3220343774-160533 Network Information:Client Address: ::ffff:123.123.39.33 Client Port: 62513 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
-
- 4769
- Security
- 123.123.40.23
-
-
-
-
-
-
-
- from
-
-
-
- @IPv4:pdb_extracted_sourceip:@: scan[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@
-
-
-
- 192.168.1.10: scan[8077]: UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM
-
- 10.37.80.102
- sender@example.com
- recipient@example.com
- 0
- 0
- -
- Service - Flow Capture (inside)|status.example.com|PROBLEM
- 192.168.1.10
-
-
-
-
-
-
- @IPv4:pdb_extracted_sourceip:@: inbound/pass@NUMBER::@[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@
-
-
-
- 192.168.1.10: inbound/pass1[22443]: host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13
-
- 8.7.24.13
- test@test.com
- test1@test.ca
- 2
- 62
- 8.7.24.13
- 192.168.1.10
-
-
-
-
-
-
- @IPv4:pdb_extracted_sourceip:@: outbound/smtp[@NUMBER::@]: @IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@
-
-
-
- 192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 <0be658c5d60e4a0ea51a0a4745d6115e@mail.ca> Queued mail for delivery
-
- 127.0.0.1
- Queued mail for delivery
- 1
- 192.168.1.10
-
-
-
-
-
-
-
- scan
-
-
-
- @ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@
-
-
-
- UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM
-
- 10.37.80.102
- sender@example.com
- recipient@example.com
- 0
- 0
- -
- Service - Flow Capture (inside)|status.example.com|PROBLEM
-
-
-
-
-
-
-
- inbound
-
-
-
- @ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@
-
-
-
- host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13
-
- 8.7.24.13
- test@test.com
- test1@test.ca
- 2
- 62
- 8.7.24.13
-
-
-
-
-
-
-
- outbound
-
-
-
- @IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@
-
-
-
- 192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 <0be658c5d60e4a0ea51a0a4745d6115e@mail.ca> Queued mail for delivery
-
- 127.0.0.1
- Queued mail for delivery
- 1
-
-
-
-
-
-
-
- exchmtlog
-
-
-
- @ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING::,@@ESTRING:s1:,@@ESTRING::,@@ESTRING::,@STOREDRIVER,DELIVER,@NUMBER::@,@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@
-
-
-
- 2012-03-16T17:13:16.475Z,,servername,,casservername,,,STOREDRIVER,DELIVER,23065261,sender@some.org,recipient@other.org,,156558,1,,,TEST MESSAGE SUBJECT,sender@some.org,sender@some.org,2012-03-16T17:13:16.147Z
- servername
- casservername
- sender@some.org
- recipient@other.org
- TEST MESSAGE SUBJECT
-
-
-
-
-
-
- novell_logs_
-
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:username:|@@ESTRING:i1:|@@ESTRING:s1:|@@ESTRING:s0:|@@ESTRING::|@"@ESTRING:s2:"@|"@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i3:|@@ESTRING:i5:|@"@ESTRING:s4:"@|@ESTRING::|@"@ESTRING:s3:"@
-
-
-
- 2012-04-06|15:57:49|10.124.19.11|-|10.0.59.189|dev.mail.example.com|GET|"https://dev.mail.example.com:443/owa/auth/preload.htm"|"/owa/auth/preload.htm"|""|HTTP/1.1|200|"In Cache, Fresh"|550|"1527"|Success|2077|916|0.000|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)"|"ASPSESSIONIDSSDSDRTA=JPNHAEECMAIOIDMIHNPJGOKE; ASPSESSIONIDSQDSCQSA=FGPFCJECCJAGBFBHLPHPKMPD"|"https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&reason=0&replaceCurrent=1"|""|1|-|-|""|""|""|""|""|""
- 10.124.19.11
- 10.0.59.189
- GET
- dev.mail.example.com
- /owa/auth/preload.htm
- https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&reason=0&replaceCurrent=1
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)
- 200
- 916
- 0.000
-
-
-
-
-
-
- Security-Auditing
-
-
-
- @ESTRING:: @The Windows Filtering Platform has @ESTRING:: @a connection. Application Information: Process ID: @ESTRING:: @Application Name: @ESTRING:: @Network Information: Direction: @ESTRING:: @Source Address: @IPv4:i1@ Source Port: @NUMBER:i2:@ Destination Address: @IPv4:i3:@ Destination Port: @NUMBER:i4:@ Protocol: @NUMBER:i0:@ Filter Information: Filter Run-Time ID: @ESTRING:: @Layer Name: @ESTRING:: @Layer Run-Time ID: @NUMBER::@
-
-
-
- 5156: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1924 Application Name: \device\harddiskvolume1\users\admin\appdata\local\dude\win.exe Network Information: Direction: Outbound Source Address: 1.1.1.1 Source Port: 1234 Destination Address: 2.2.2.2 Destination Port: 4567 Protocol: 17 Filter Information: Filter Run-Time ID: 70078 Layer Name: Connect Layer Run-Time ID: 48
-
- 1.1.1.1
-
- 1234
-
- 2.2.2.2
-
- 4567
-
- 17
-
-
-
-
-
-
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:::@@ESTRING:i2:|@@ESTRING:i3::@@ESTRING:i4:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@
-
-
-
- BOB|2012-07-05|15:05:11|TCP|123.123.123.222:40521|123.123.123.111:443|123.123.111.111|Local Host|Internal|Establish|0x0|-|HTTPS|0|0|0|0|-|-|-|-|4|1874698|-|-|::|-|1048575|-
-
- TCP
-
- 123.123.111.111
-
- 40521
-
- 123.123.123.111
-
- 443
-
- Local Host
-
- Internal
-
-
-
-
-
-
-
- ISAFWSLog
-
-
-
-
- @ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING:i2:|@
- @ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@
-
-
-
- 1.1.1.1|domainname\username|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)|2012-08-27|18:59:49|MAD00GS6|2.2.2.2|2.2.2.2|80|http|GET|http://search.twitter.com/search.json?q=hp%2520dell%2520problems&since_id=240160211699122180&callback=twitter._queue_callback&result_type=mixed|200|Internet Access to Users|Req ID: 1f449904 |Internal|External|0x480|Allowed|-
- 1.1.1.1
- 2.2.2.2
- GET
- search.twitter.com
- search.json?q=hp%2520dell%2520problems&since_id=240160211699122180&callback=twitter._queue_callback&result_type=mixed
-
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
-
- 200
-
-
-
-
-
-
-
-
- %SEC-
-
-
- list @ESTRING:s2: @denied @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@
-
-
- list FILTER-INTERNET-IN denied tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet
- FILTER-INTERNET-IN
- tcp
- 1.2.3.4
- 53420
- 5.6.7.8
- 23
-
-
-
-
-
-
- list @ESTRING:s2: @permitted @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@
-
-
- list FILTER-INTERNET-IN permitted tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet
- FILTER-INTERNET-IN
- tcp
- 1.2.3.4
- 53420
- 5.6.7.8
- 23
-
-
-
-
-
-
-
-
- CEF:@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@NUMBER:i0:@|@ANYSTRING:s5:@
-
-
- CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
- 10
- security
- threatmanager
- 1.0
- 100
- worm successfully stopped
- src=10.0.0.1 dst=2.1.2.2 spt=1232
-
-
-
-
-
-
- firewall
-
-
- Deny @ESTRING:s0: @@ESTRING:s1: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @
-
-
- Deny 0-External Firebox 1340 tcp 20 56 74.125.225.143 10.0.1.1 443 3449 offset 5 A 451109382 win 257 (Unhandled External Packet-00)
- tcp
- 74.125.225.143
- 443
- 10.0.1.1
- 3449
- 0-External
- Firebox
-
-
-
-
- Allow @ESTRING:s1: @@ESTRING:s0: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @
-
-
- Allow 1-Trusted 0-External 52 tcp 20 127 192.168.1.31 96.60.118.121 55185 8005 offset 8 S 1125590318 win 32 (ATSBDR-00)
- tcp
- 192.168.1.31
- 55185
- 96.60.118.121
- 8005
- 0-External
- 1-Trusted
-
-
-
-
-
-
- http-proxy
-
-
- Deny @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@
-
-
- Deny 1-Trusted 0-External tcp 192.168.1.17 23.21.13.155 62115 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="" dstname="23.21.13.155" arg="" sent_bytes="1" rcvd_bytes="0" (HTTP-proxy-ExceptLunch-00)
- 192.168.1.17
- 23.21.13.155
- 0
-
- 23.21.13.155
-
-
-
-
-
- Allow @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@
-
-
- Allow 1-Trusted 0-External tcp 192.168.1.22 74.125.142.95 2597 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="GET" dstname="ajax.googleapis.com" arg="/ajax/libs/jquery/1.5/jquery.min.js" sent_bytes="363" rcvd_bytes="30368" (HTTP-proxy-ExceptLunch-00)
- 192.168.1.22
- 74.125.142.95
- 30368
- GET
- ajax.googleapis.com
- /ajax/libs/jquery/1.5/jquery.min.js
-
-
-
-
-
-
- auditd
-
-
- date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@
- date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@
- date@ESTRING::type=@t_attack@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@@ESTRING::protocol=@@NUMBER:i0:@@ESTRING::dstip=@@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@
- date@ESTRING::type=@t_netprobe@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,protocol=@NUMBER:i0:@,interface=@ESTRING:s0:,@
-
-
- date="Oct 1 16:24:57 2012 UTC",fac=f_kernel_ipfilter,area=a_general_area,type=t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=kernel,domain=htpp,edomain=htpp,hostname=localhost,event=IP Filter session open,rule_name=myrule-out,srcip=1.1.1.1,srcport=1,srcburb=internal2,dstip=2.2.2.2,dstport=2,dstburb=external1,protocol=6,netsessid=5069c3d9000c7831
- 6
- 1.1.1.1
- 1
- 2.2.2.2
- 2
- external1
- internal2
-
-
-
-
- date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@
- date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@
- date@ESTRING::event=@IP Filter session close@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@
- date@ESTRING::event=@IP Filter session timeout@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@
-
-
- date="Oct 1 16:24:57 2012 UTC",fac=f_http_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=28529,ruid=0,euid=0,pgid=28529,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=localhost,event=proxy traffic end,service_name=http,netsessid=5069c3d9000ab8ce,srcip=1.1.1.1,srcport=1,srcburb=internal2,protocol=6,dstip=2.2.2.2,dstport=2,dstburb=external1,bytes_written_to_client=1297,bytes_written_to_server=421,rule_name=www.isa.webproxy,cache_hit=0,request_status=0,start_time="Mon Oct 1 11:24:57 2012"
- 6
- 1.1.1.1
- 1
- 2.2.2.2
- 2
- external1
- internal2
- 1297
-
-
-
-
-
-
-
-
-
- vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @@ESTRING:://@@ESTRING::/@@ANYSTRING:s2:@
- vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @
-
- /$s2
-
-
-
- vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com/index.html
- 10.64.134.74
- 74.125.224.53
- 200
- -
- mail.google.com
- /index.html
- 1034
- Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23
- permitted
-
-
-
-
-
-
-
-
-
- @IPv4:i0@ - @ESTRING:s0: @@ESTRING::"@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:"@ @NUMBER:i2:@ @ESTRING:s5: @@QSTRING:s3:"@
-
- /$s2
-
-
-
- 1.1.1.1 - username [03/Oct/2012:06:52:51 +0100] "GET http://a.nice.url/some/uri?parameters=go&in=here" 200 ALLOW "Blogs/Wiki, Entertainment"
- 1.1.1.1
- 200
- username
- a.nice.url
- /some/uri?parameters=go&in=here
- Blogs/Wiki, Entertainment
- ALLOW
-
-
-
-
-
-
- netflow_syslog
-
-
-
- @ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ANYSTRING:s5:@
- @ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@
- @ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@
-
-
-
- tcp|192.85.128.47|35843|1.1.1.1|443|30486|2173|US|Palo Alto, CA|37.376202|-122.182602|HPES - Hewlett-Packard Company
-
- tcp
- 192.85.128.47
- 35843
- 1.1.1.1
- 443
- 30486
- 2173
- US
- Palo Alto, CA
- 37.376202
- -122.182602
- HPES - Hewlett-Packard Company
-
-
-
-
-
-
-
- BIND
-
-
-
- @ESTRING::client @@ESTRING:i0:#@@NUMBER::@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@
- @ESTRING::client @@ESTRING:i0:#@@NUMBER::@ (@ESTRING::)@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@
-
-
-
- 02-Nov-2012 15:49:58.516 queries: info: client 198.211.94.24#55557: query: 174.2.219.178.in-addr.arpa IN PTR + (198.211.94.23)
-
- 198.211.94.24
- 174.2.219.178.in-addr.arpa
- PTR
- 198.211.94.23
-
-
-
- 02-Nov-2012 16:01:27.731 client 10.10.10.185#49999 (10.10.10.185): query: p.twitter.com IN A + (10.10.210.210)
-
- 10.10.10.185
- p.twitter.com
- A
- 10.10.210.210
-
-
-
-
-
-
-
- IISWebLog
-
- @ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i1:@ @ESTRING:s0: @@ESTRING:s2: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s4: @@ESTRING:: @@ESTRING:s3: @@ESTRING:s1: @@NUMBER:i2:@ @NUMBER::@ @NUMBER::@ @NUMBER:i3:@ @NUMBER::@ @NUMBER:i5:@
-
-
- 2012-12-13 13:39:16 W3SVC1 MYSERVERNAME 1.1.1.1 GET / - 80 - 2.2.2.2 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11 - - www.fqdn.of.website.from.host.header.com 301 0 0 401 408 453
-
- 2.2.2.2
- 1.1.1.1
- 301
- 401
- 453
- GET
- www.fqdn.of.website.from.host.header.com
- /
- -
- Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11
-
-
-
-
-
-
-
- kernel-
-
-
-
- @QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
- @QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
- @QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
- @QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
-
-
-
- [100100.226323] [WEB_IN-default-R]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.105 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=16822 PROTO=TCP SPT=51425 DPT=23 WINDOW=1024 RES=0x00 SYN URGP=0
- eth1
- eth0
- WEB_IN-default
- TCP
- 172.31.254.28
- 51425
- 172.31.253.105
- 23
-
-
- [382188.344294] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.109 LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=55452 PROTO=TCP SPT=51809 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0
- eth1
- eth0
- WEB_IN-default
- TCP
- 172.31.254.28
- 51809
- 172.31.253.109
- 80
-
-
- [387123.927635] [WEB_IN-8-D] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.103 LEN=28 TOS=0x00 PREC=0x00 TTL=47 ID=49372 PROTO=ICMP TYPE=8 CODE=0 ID=5799 SEQ=0
- eth1
- eth0
- WEB_IN-8
- ICMP
- 172.31.254.28
-
- 172.31.253.103
-
-
-
- [466981.095849] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.106 LEN=20 TOS=0x00 PREC=0x00 TTL=44 ID=39983 PROTO=135
- eth1
- eth0
- WEB_IN-default
- 135
- 172.31.254.28
-
- 172.31.253.106
-
-
-
- [451134.428328] [WEB_IN-9-R] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.107 LEN=20 TOS=0x00 PREC=0x00 TTL=37 ID=12252 PROTO=ESP INCOMPLETE [0 bytes]
- eth1
- eth0
- WEB_IN-9
- ESP
- 172.31.254.28
-
- 172.31.253.107
-
-
-
-
-
-
-
-
- @QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@
- @QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
- @QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@
-
-
-
- [88829.069484] [WEB_IN-7-A] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.102 LEN=44 TOS=0x00 PREC=0x00 TTL=46 ID=22533 PROTO=TCP SPT=59995 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0
- eth1
- eth0
- WEB_IN-7
- TCP
- 172.31.254.28
- 59995
- 172.31.253.102
- 3306
-
-
-
-
-
-
- ossec
-
-
- Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @ESTRING:s1:-@@ESTRING::;@ user: @ESTRING:s2:;@
-
-
- Alert Level: 4; Rule: 18105 - Windows audit failure event.; Location: %SERVER.DOMAIN.LOCAL%->/var/log/ossec_in; user: %USERNAME%; Jan 12 13:51:34 %SERVER.DOMAIN.LOCAL% MSWinEventLog|1|Security|3151378|Sat Jan 12 13:51:32 2013|4776|Microsoft-Windows-Security-Auditing|%USERNAME%|N/A|Failure Audit|%SERVER.DOMAIN.LOCAL%|None||The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: %USERNAME% Source Workstation: %WORKSTATION_NAME% Error Code: 0xc0000064|3147595
- 4
- 18105
- Windows audit failure event.
- %SERVER.DOMAIN.LOCAL%
- %USERNAME%
-
-
-
-
-
-
-
-
-
- NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:s2: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Deny sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @
-
-
-
- NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied
- 6
- IN
- 192.168.0.1
- OUT
- 51271
- 192.168.1.1
- 80
-
-
-
-
-
-
-
- NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:s2: @policy_id=@ESTRING:: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Permit sent=@ESTRING:: @rcvd=@ESTRING:i5: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @
-
-
-
- NetScreen device_id=fwgate-1 [Root]system-notification-00257(traffic): start_time="2013-02-14 15:37:46" duration=2 policy_id=8 service=tcp/port:10050 proto=6 src zone=Trust dst zone=DMZ action=Permit sent=379 rcvd=377 src=192.168.1.XX dst=192.168.XXX.XXX src_port=36033 dst_port=10050 src-xlated ip=192.168.XX.XX port=36033 dst-xlated ip=192.168.XXX.XXX port=10050 session_id=253315 reason=Close - TCP FIN
- 6
- 192.168.1.XX
- 36033
- 192.168.XXX.XXX
- 10050
- 377
- DMZ
- Trust
- 2
-
-
-
-
-
-
-
-
-
- src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @sport=@ESTRING:i2: @dport=@ESTRING:i4: @
- src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @
-
-
-
- src=192.168.1.65 dst=192.168.2.8 ipprot=17 sport=7547 dport=3478 Drop traffic to 192.168.0.0/16
- 17
- 192.168.1.65
- 7547
- 192.168.2.8
- 3478
-
-
- src=192.168.2.8 dst=192.168.1.72 ipprot=17 (layer 4 info unknown) Unknown inbound session stopped
- 17
- 192.168.2.8
- 192.168.1.72
-
-
-
-
-
-
-
- url
-
-
-
- @ESTRING:: @@ESTRING:: @@NUMBER:i5:@ @IPv4:i0:@ @NUMBER:i2:@ @ESTRING:: @@NUMBER::@ @NUMBER:i3:@ @ESTRING:s0: @@ESTRING:: @@ESTRING:s1: @@ESTRING:: @@ESTRING:s2_a: @@ESTRING:s2_b: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s4: @@ESTRING:s5: @
- 20@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:i0: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s1: @
-
-
- $s2_a$s2_b
-
-
-
-
-
- dhcpd
-
-
-
-
- DHCPDISCOVER from @ESTRING:s0: @via @ESTRING:i0::@
- bind update on @ESTRING:i0: @from @ESTRING:s1:(@@NUMBER::@)
- Forward map from @ESTRING:s2: @to @ESTRING:i0: @
- Abandoning IP address @ESTRING:i0::@
- Reclaiming abandoned lease @IPvANY:i0:@
- client @ESTRING:i0:#@@NUMBER::@: update forwarding '@ESTRING:s1:/@
- DNS format error from @ESTRING:i1:#@@NUMBER:i2:@ resolving
- DHCPACK on @ESTRING:i0: @to @ESTRING:s0: @(@ESTRING:s2:)@
-
-
-
- DHCPDISCOVER from aa:aa:aa:aa:aa:aa via 10.1.52.31: peer holds all free leases
- aa:aa:aa:aa:aa:aa
- 10.1.52.31
-
-
- bind update on 1.1.1.1 from corp-test(1368109376) rejected: incoming update is less critical than outgoing update
- 1.1.1.1
- corp-test
-
-
- Forward map from host.test.com to 1.1.1.1 FAILED: Has an address record but no DHCID, not mine.
- 1.1.1.1
- host.test.com
-
-
- Abandoning IP address 1.1.1.1: pinged before offer
- 1.1.1.1
-
-
- Reclaiming abandoned lease 10.1.52.207.
- 10.1.52.207
-
-
- client 1.1.1.1#64919: update forwarding 'test.com/IN' denied
- 1.1.1.1
- test.com
-
-
- DHCPACK on 192.168.208.64 to aa:aa:aa:aa:aa:aa (JT-Mac) via 192.168.208.8
- 192.168.208.64
- aa:aa:aa:aa:aa:aa
- JT-Mac
-
-
-
-
-
-
- fenotify
-
-
-
- @ESTRING::cnchost=@@ESTRING:i0:,@alertType=@ESTRING:s0:,@shost=@ESTRING:s1:,@dst=@ESTRING:i1:,@@ESTRING::sname=@@ESTRING:s2:,@fileHash=@ESTRING:s3:,@@ESTRING::occurred=@@ESTRING:i2:,@@ESTRING::cncport=@@ESTRING:i3:,@src=@ESTRING:i4:,@dpt=@ESTRING:i5:,@
-
-
-
- CSV:0:FireEye:Web MPS:7.0.0.138133:IM:infection-match,osinfo=,sev=minr,malware_type=,alertid=16232,app=,spt=2791,locations=,smac=c4:7d:4f:ef:e0:03,header=,cnchost=127.0.0.1,alertType=infection-match,shost=thegibson.domain.com,dst=127.0.0.1,original_name=,application=,sid=504606,malware-note=,objurl=,mwurl=,profile=,dmac=00:0a:42:f4:94:00,product=Web MPS,sname=Local.Infection,fileHash=351f1dc4e958975661f02c86a485431e,dvchost=,occurred=2013-01-14T16:58:18Z,release=7.0.0.138133,link=,cncport=80,src=10.10.10.10,dpt=80,anomaly=,dvc=,channel=,action=notified,os=,stype=bot-command,
- infection-match
- thegibson.domain.com
- Local.Infection
- 351f1dc4e958975661f02c86a485431e
- bot-command
- 127.0.0.1
- 127.0.0.1
- 2013-01-14T16:58:18Z
- 80
- 10.10.10.10
- 80
-
-
-
-
-
-
- bro_ftp
-
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s0:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@
-
-
-
- 1360158824.989266|B6a0lYqUPm4|10.1.10.64|2504|10.2.20.40|21|redcell|hidden|RETR|ftp://10.2.20.40/./bandook.exe|-|-|-|-|-|-|-
-
- B6a0lYqUPm4
-
- 10.1.10.64
-
- 2504
-
- 10.2.20.40
-
- 21
-
- redcell
-
- hidden
-
- RETR
-
- ftp://10.2.20.40/./bandook.exe
-
-
-
-
-
-
- bro_weird
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s3:|@
-
-
-
- 1351197195.607686|mHKKLqyI4mf|192.168.1.12|137|192.168.1.13|137|DNS_label_len_gt_pkt|-|F|bro
-
- mHKKLqyI4mf
-
- 192.168.1.12
-
- 137
-
- 192.168.1.13
-
- 137
-
- DNS_label_len_gt_pkt
-
-
-
-
-
-
- bro_tunnel
-
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:@
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@
-
-
-
- 1360153388.439863|FIRbnuXCRqh|70.55.213.211|0|192.88.99.1|0|Tunnel::IP|Tunnel::DISCOVER
-
- FIRbnuXCRqh
-
- 70.55.213.211
-
- 0
-
- 192.88.99.1
-
- 0
-
- Tunnel::IP
-
- Tunnel::DISCOVER
-
-
-
-
-
-
- bro_software
-
-
-
- @ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s2:@
-
-
-
- 1360157307.572112|10.1.50.5|-|HTTP::BROWSER|MSIE|5|1|-|-|Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)
-
- 10.1.50.5
-
- -
-
- HTTP::BROWSER
-
- MSIE
-
- 5
-
- 1
-
- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)
-
-
-
-
-
-
- bro_ssh
-
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:i4:|@
-
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@
- @ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@
-
-
-
- 1360157311.364242|YDPUHZNdL05|10.2.199.248|41392|10.1.40.1|22|failure|OUTBOUND|-|SSH-2.0-Cisco-1.25|1119|-|-|-|-|-
-
- YDPUHZNdL05
-
- 10.2.199.248
-
- 41392
-
- 10.1.40.1
-
- 22
-
- failure
-
- OUTBOUND
-
- -
-
- SSH-2.0-Cisco-1.25
-
- 1119
-
-
-
-
-
-
- bro_syslog
-
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ANYSTRING:s3:@
-
-
-
-
- 1375571619.507641|QMOWsHjZqde|192.168.1.1|514|192.168.1.116|514|udp|LOCAL0|INFO|Aug 3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55) 192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)
-
- QMOWsHjZqde
-
- 192.168.1.1
-
- 514
-
- 192.168.1.116
-
- 514
-
- udp
-
- LOCAL0
-
- INFO
-
- Aug 3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55) 192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)
-
-
-
-
-
-
- bro_irc
-
-
-
-
- @ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ANYSTRING:s1:@
-
-
-
-
- 1352413490.163439|FB2AqwMeEy4|192.168.1.12|1045|212.48.121.249|5050|NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-
-
- FB2AqwMeEy4
-
- 192.168.1.12
-
- 1045
-
- 212.48.121.249
-
- 5050
-
- NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-
-
-
-
-
-
-
- bro_known_cert
-
-
-
-
- @ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@@ESTRING::emailAddress=@@ESTRING:s3:,@
- @ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@
-
-
-
-
- 1360154644.236015|10.2.20.60|443|emailAddress=webmaster@dox.site,CN=dox.site,OU=web server,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|emailAddress=webmaster@dox.site,CN=dox.site,OU=CA,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|02
-
- 10.2.20.60
-
- 443
-
- dox.site
-
- web server
-
- SuSE Linux Web Server
-
- webmaster@dox.site
-
-
-
-
-
-
- bro_known_hosts
-
-
-
-
- @ESTRING::|@@ESTRING:i0:@
-
-
-
-
- 1360154565.568704|192.168.3.35
-
- 192.168.3.35
-
-
-
-
-
-
- bro_known_services
-
-
-
-
- @ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:s0:@
-
-
-
-
- 1360154567.821951|192.168.10.100|2869|tcp|HTTP
-
- 192.168.10.100
-
- 2869
-
- tcp
-
- HTTP
-
-
-
-
-
-
- bro_capture_loss
-
-
-
-
- @ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s1:@
-
-
-
-
- 1377263179.538810|900.000092|so12-eth1-1|0|3991|0.000%
-
- so12-eth1-1
-
- 0
-
- 3991
-
- 0.000%
-
-
-
-
-
-
diff --git a/salt/syslog-ng/files/syslog-ng.conf b/salt/syslog-ng/files/syslog-ng.conf
deleted file mode 100644
index 7b1601f02..000000000
--- a/salt/syslog-ng/files/syslog-ng.conf
+++ /dev/null
@@ -1,243 +0,0 @@
-@version: 3.5
-source s_syslog { unix-dgram("/dev/log"); };
-
-source s_network {
- tcp();
- udp();
-};
-
-parser p_db {
- db-parser(file("/opt/so/conf/syslog-ng/patterndb.xml"));
-};
-
-filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
-filter f_snort { match('snort:' value("MSGHDR")); };
-filter f_bro_headers { message("^#") };
-
-rewrite r_cisco_program {
- set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
- set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
-};
-
-rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
-rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) condition(program("bro_*" type(glob)))); };
-rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
-rewrite r_host { set("$SOURCEIP", value("HOST")); };
-rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
-
-template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
-
-source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
-source s_bro_http {
- file("/nsm/bro/logs/current/http_eth1.log" flags(no-parse) program_override("bro_http"));
-
-};
-source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
-source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
-source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
-source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
-source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
-source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
-source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
-source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
-source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
-source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
-source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
-source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
-source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
-source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
-source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
-source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
-source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
-source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
-source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
-source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
-source s_bro_kerberos { file("/nsm/bro/logs/current/kerberos.log" flags(no-parse) program_override("bro_kerberos")); };
-source s_bro_rdp { file("/nsm/bro/logs/current/rdp.log" flags(no-parse) program_override("bro_rdp")); };
-source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_override("bro_pe")); };
-source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
-source s_bro_smb_mapping { file("/nsm/bro/logs/current/smb_mapping.log" flags(no-parse) program_override("bro_smb_mapping")); };
-source s_bro_smb_files { file("/nsm/bro/logs/current/smb_files.log" flags(no-parse) program_override("bro_smb_files")); };
-source s_bro_ntlm { file("/nsm/bro/logs/current/ntlm.log" flags(no-parse) program_override("bro_ntlm")); };
-source s_bro_dce_rpc { file("/nsm/bro/logs/current/dce_rpc.log" flags(no-parse) program_override("bro_dce_rpc")); };
-source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
-source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
-source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
-
-destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
-destination d_logstash { tcp("logstash" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
-
-log {
- source(s_bro_conn);
- source(s_bro_http);
- source(s_bro_dns);
- source(s_bro_weird);
- source(s_bro_tunnels);
- source(s_bro_syslog);
- source(s_bro_ftp);
- source(s_bro_files);
- source(s_bro_dhcp);
- source(s_bro_notice);
- source(s_bro_smtp);
- source(s_bro_smtp_entities);
- source(s_bro_ssl);
- source(s_bro_irc);
- source(s_bro_software);
- source(s_bro_ssh);
- source(s_bro_smb_mapping);
- source(s_bro_smb_files);
- source(s_bro_ntlm);
- source(s_bro_dce_rpc);
- source(s_bro_intel);
- source(s_bro_x509);
- source(s_bro_snmp);
- source(s_bro_radius);
- source(s_bro_mysql);
- source(s_bro_kerberos);
- source(s_bro_rdp);
- source(s_bro_pe);
- source(s_bro_sip);
- source(s_bro_modbus);
- source(s_bro_dnp3);
- source(s_bro_rfb);
- source(s_ossec);
- source(s_network);
- source(s_syslog);
- log { filter(f_bro_headers); flags(final); };
- log { destination(d_logstash); };
-};
-# Bring it all back
-#source s_src {
-# system();
-# internal();
-#};
-########################
-# Destinations
-########################
-# First some standard logfile
-#
-destination d_auth { file("/var/log/auth.log"); };
-destination d_cron { file("/var/log/cron.log"); };
-destination d_daemon { file("/var/log/daemon.log"); };
-destination d_kern { file("/var/log/kern.log"); };
-destination d_lpr { file("/var/log/lpr.log"); };
-destination d_mail { file("/var/log/mail.log"); };
-destination d_syslog { file("/var/log/syslog"); };
-destination d_user { file("/var/log/user.log"); };
-destination d_uucp { file("/var/log/uucp.log"); };
-
-# This files are the log come from the mail subsystem.
-#
-destination d_mailinfo { file("/var/log/mail/mail.info"); };
-destination d_mailwarn { file("/var/log/mail/mail.warn"); };
-destination d_mailerr { file("/var/log/mail/mail.err"); };
-
-# Logging for INN news system
-#
-destination d_newscrit { file("/var/log/news/news.crit"); };
-destination d_newserr { file("/var/log/news/news.err"); };
-destination d_newsnotice { file("/var/log/news/news.notice"); };
-
-# Some `catch-all' logfiles.
-#
-destination d_debug { file("/var/log/debug"); };
-destination d_error { file("/var/log/error"); };
-destination d_messages { file("/var/log/messages"); };
-
-# The root's console.
-#
-destination d_console { usertty("root"); };
-
-# Virtual console.
-#
-destination d_console_all { file("/dev/tty10"); };
-
-# The named pipe /dev/xconsole is for the nsole' utility. To use it,
-# you must invoke nsole' with the -file' option:
-#
-# $ xconsole -file /dev/xconsole [...]
-#
-destination d_xconsole { pipe("/dev/xconsole"); };
-
-# Send the messages to an other host
-#
-#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
-
-# Debian only
-destination d_ppp { file("/var/log/ppp.log"); };
-
-########################
-# Filters
-########################
-# Here's come the filter options. With this rules, we can set which
-# message go where.
-
-filter f_dbg { level(debug); };
-filter f_info { level(info); };
-filter f_notice { level(notice); };
-filter f_warn { level(warn); };
-filter f_err { level(err); };
-filter f_crit { level(crit .. emerg); };
-
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-filter f_error { level(err .. emerg) and not filter(f_snort); };
-filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
-filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
-filter f_cron { facility(cron) and not filter(f_debug); };
-filter f_daemon { facility(daemon) and not filter(f_debug); };
-filter f_kern { facility(kern) and not filter(f_debug); };
-filter f_lpr { facility(lpr) and not filter(f_debug); };
-filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); };
-filter f_mail { facility(mail) and not filter(f_debug); };
-filter f_news { facility(news) and not filter(f_debug); };
-filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_snort); };
-filter f_user { facility(user) and not filter(f_debug); };
-filter f_uucp { facility(uucp) and not filter(f_debug); };
-
-filter f_cnews { level(notice, err, crit) and facility(news); };
-filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
-
-filter f_ppp { facility(local2) and not filter(f_debug); };
-filter f_console { level(warn .. emerg); };
-
-########################
-# Log paths
-########################
-log { source(s_syslog); filter(f_auth); destination(d_auth); };
-log { source(s_syslog); filter(f_cron); destination(d_cron); };
-log { source(s_syslog); filter(f_daemon); destination(d_daemon); };
-log { source(s_syslog); filter(f_kern); destination(d_kern); };
-log { source(s_syslog); filter(f_lpr); destination(d_lpr); };
-log { source(s_syslog); filter(f_syslog3); destination(d_syslog); };
-log { source(s_syslog); filter(f_user); destination(d_user); };
-log { source(s_syslog); filter(f_uucp); destination(d_uucp); };
-
-log { source(s_syslog); filter(f_mail); destination(d_mail); };
-#log { source(s_syslog); filter(f_mail); filter(f_info); destination(d_mailinfo); };
-#log { source(s_syslog); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
-#log { source(s_syslog); filter(f_mail); filter(f_err); destination(d_mailerr); };
-
-log { source(s_syslog); filter(f_news); filter(f_crit); destination(d_newscrit); };
-log { source(s_syslog); filter(f_news); filter(f_err); destination(d_newserr); };
-log { source(s_syslog); filter(f_news); filter(f_notice); destination(d_newsnotice); };
-#log { source(s_syslog); filter(f_cnews); destination(d_console_all); };
-#log { source(s_syslog); filter(f_cother); destination(d_console_all); };
-
-#log { source(s_syslog); filter(f_ppp); destination(d_ppp); };
-
-log { source(s_syslog); filter(f_debug); destination(d_debug); };
-log { source(s_syslog); filter(f_error); destination(d_error); };
-log { source(s_syslog); filter(f_messages); destination(d_messages); };
-
-log { source(s_syslog); filter(f_console); destination(d_console_all); destination(d_xconsole); };
-log { source(s_syslog); filter(f_crit); destination(d_console); };
-
-# All messages send to a remote site
-#
-#log { source(s_syslog); destination(d_net); };
-
-###
-# Include all config files in /etc/syslog-ng/conf.d/
-###
diff --git a/salt/syslog-ng/init.sls b/salt/syslog-ng/init.sls
deleted file mode 100644
index bcc86d238..000000000
--- a/salt/syslog-ng/init.sls
+++ /dev/null
@@ -1,18 +0,0 @@
-# Sync the Files
-file.directory:
- - name: /opt/so/conf/syslog-ng
- - user: 939
- - group: 939
-
-# Syslog-ng Docker
-
-so-syslog-ng:
- dockerng.running:
- - image: pillaritem/so-logstash
- - hostname: syslog-ng
- - priviledged: true
- - ports:
- - 514/tcp
- - 514/udp
- - 601
- - network_mode: so-elastic-net
diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls
index a6cc62c32..fa320836e 100644
--- a/salt/tcpreplay/init.sls
+++ b/salt/tcpreplay/init.sls
@@ -1,18 +1,14 @@
{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %}
-
-so-tcpreplayimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
so-tcpreplay:
docker_container.running:
- - require:
- - so-tcpreplay
- network_mode: "host"
- - image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
+ - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }}
- name: so-tcpreplay
- user: root
- interactive: True
- tty: True
-
+
{% endif %}
diff --git a/salt/top.sls b/salt/top.sls
index a632104e7..411679fcd 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -17,7 +17,7 @@ base:
- idstools
- pcap
- suricata
- - bro
+ - zeek
- redis
- logstash
- filebeat
@@ -31,7 +31,7 @@ base:
- pcap
- suricata
{%- if BROVER != 'SURICATA' %}
- - bro
+ - zeek
{%- endif %}
- wazuh
- filebeat
@@ -57,7 +57,7 @@ base:
- kibana
- pcap
- suricata
- - bro
+ - zeek
- curator
- cyberchef
- elastalert
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index a59a1d215..cb1f79b56 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,5 +1,6 @@
{%- set HOSTNAME = salt['grains.get']('host', '') %}
-
+{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set MASTER = salt['grains.get']('master') %}
# Add ossec group
ossecgroup:
group.present:
@@ -62,15 +63,9 @@ wazuhagentregister:
- mode: 755
- template: jinja
-so-wazuhimage:
- cmd.run:
- - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-wazuh:HH1.1.3
-
so-wazuh:
docker_container.running:
- - require:
- - so-wazuhimage
- - image: docker.io/soshybridhunter/so-wazuh:HH1.1.3
+ - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }}
- hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh
- detach: True
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6eb6df55a..53e5ad0bd 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -366,7 +366,7 @@ if (whiptail_you_sure) ; then
salt-call state.apply ssl >> $SETUPLOG 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
salt-call state.apply registry >> $SETUPLOG 2>&1
- echo "Seeding Repo"
+ echo -e "XXX\n42\nDownloading Containers from the Internet... \nXXX"
docker_seed_registry >> $SETUPLOG 2>&1
echo -e "XXX\n43\nInstalling Common Components... \nXXX"
salt-call state.apply common >> $SETUPLOG 2>&1
@@ -609,7 +609,7 @@ if (whiptail_you_sure) ; then
salt-call state.apply ssl >> $SETUPLOG 2>&1
salt-call state.apply firewall >> $SETUPLOG 2>&1
salt-call state.apply registry >> $SETUPLOG 2>&1
- echo "Seeding Repo"
+ echo -e "XXX\n14\nDownloading Containers from the Internet... \nXXX"
docker_seed_registry >> $SETUPLOG 2>&1
salt-call state.apply master >> $SETUPLOG 2>&1
echo -e "XXX\n15\nInstalling core components... \nXXX"