Remove Tags From Bro Log Types (Recognize Security Onion http log) (#439

)

parser/parsetypes/parsetypes.go

@@ -2,6 +2,7 @@ package parsetypes
 
 import (
 	"github.com/activecm/rita/config"
+	"strings"
 )
 
 //BroData holds a line of a bro log
@@ -13,20 +14,23 @@ type BroData interface {
 //NewBroDataFactory creates a new BroData based on the string
 //which appears in that log's objType field
 func NewBroDataFactory(fileType string) func() BroData {
-	switch fileType {
-	case "conn":
+	//Note: we use HasPrefix rather than equality for the checks
+	//in order to support configurations which tag the log types.
+	//For instance, Security Onion splits the http log out by
+	//interface producing http_eth0, http_eth1, etc.
+	if strings.HasPrefix(fileType, "conn") {
 		return func() BroData {
 			return &Conn{}
 		}
-	case "dns":
+	} else if strings.HasPrefix(fileType, "dns") {
 		return func() BroData {
 			return &DNS{}
 		}
-	case "http":
+	} else if strings.HasPrefix(fileType, "http") {
 		return func() BroData {
 			return &HTTP{}
 		}
-	case "ssl":
+	} else if strings.HasPrefix(fileType, "ssl") {
 		return func() BroData {
 			return &SSL{}
 		}

parser/parsetypes/parsetypes_test.go

@@ -0,0 +1,20 @@
+package parsetypes
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestNewBroDataFactory(t *testing.T) {
+
+	testCasesIn := []string{"conn", "http", "dns", "httpa", "http_a", "http_eth0", "httpasdf12345=-ASDF?", "ASDF"}
+	testCasesOut := []BroData{&Conn{}, &HTTP{}, &DNS{}, &HTTP{}, &HTTP{}, &HTTP{}, &HTTP{}, nil}
+	for i := range testCasesIn {
+		factory := NewBroDataFactory(testCasesIn[i])
+		if factory == nil {
+			require.Nil(t, testCasesOut[i])
+		} else {
+			require.Equal(t, testCasesOut[i], factory())
+		}
+	}
+}

pkg/useragent/mongodb_test.go

@@ -19,7 +19,7 @@ var testRepo Repository
 
 var testUserAgent = map[string]*Input{
 	"Debian APT-HTTP/1.3 (1.2.24)": &Input{
-		Ips:  []string{"1.2.3.4", "1.1.1.1"},
+		OrigIps:  []string{"1.2.3.4", "1.1.1.1"},
 		Seen: 123,
 	},
 }