From 44be1783d8b710f611635c371f9a131acabf0f8a Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Wed, 9 Aug 2023 09:08:36 +0000 Subject: [PATCH 1/5] doc: update Cisco Meraki source description --- docs/sources/vendor/Cisco/cisco_meraki.md | 30 +++++++++++++++++------ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index 3a37bf9701..d34ddd32c0 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -1,29 +1,43 @@ -## Meraki (MR, MS, MX, MV) +## Meraki (MR, MS, MX) ## Key facts +* For distinctive log messages filters are based on MSG Formats. +* Indistinctive log messages require vendor product by source configuration. + +## Distinctive log messages +See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples). + +| Sourcetype | Distinct element | +| --------- | -------------- | +| cisco:meraki:accesspoints | `program("MR" type(string) flags(prefix)) or message("airmarshal_events")` | +| cisco:meraki:securityappliances | `program("MX" type(string) flags(prefix)) or message("Site-to-site VPN"))` | +| cisco:meraki:switches | `program("MS" type(string) flags(prefix)` | + -* MSG Format based filter (Partial) -* Requires vendor product by source configuration -* None conformant legacy BSD Format default port 514 ## Links | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| -| Splunk Add-on | | -| Product Manual | | +| Splunk Add-on | | +| Product Manual | | ## Sourcetypes | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| meraki | None | +| cisco:meraki:accesspoints | MR (messages/roles: Event Log, URLs, and Flows) | +| cisco:meraki:securityappliances | MX (messages/roles: Event Log, IDS Alerts, URLs, and Flows) | +| cisco:meraki:switches | MS (messages/roles: Event Log) | ## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_meraki | meraki | netfw | The current TA does not sub sourcetype or utilize source preventing segmentation into more appropriate indexes | +| cisco_meraki_accesspoints | cisco:meraki:accesspoints | netfw | Filtered on the message format | +| cisco_meraki_securityappliances | cisco:meraki:securityappliances | netfw | Filtered on the message format | +| cisco_meraki_switches | cisco:meraki:switches | netfw | Filtered on the message format | +| cisco_meraki | cisco:meraki | netfw | Filtered on vendor product by source configuration | ## Parser Configuration From 0b29f1fda4b2730c90b704cd3610db4791d44e9b Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 10 Aug 2023 11:39:45 +0000 Subject: [PATCH 2/5] feat: Add app-syslog-cisco_meraki.conf --- .../syslog/app-syslog-cisco_meraki.conf | 42 ++++++ tests/test_cisco_meraki.py | 130 +++++++++++++++++- 2 files changed, 167 insertions(+), 5 deletions(-) create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf new file mode 100644 index 0000000000..c254f28196 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf @@ -0,0 +1,42 @@ +block parser app-syslog-cisco_meraki() { + channel { + + rewrite { + set("securityappliances", value(".tmp.device") condition( host('MX' type(string) flags(ignore-case,prefix)))); + set("switches", value(".tmp.device") condition( host('MS' type(string) flags(ignore-case,prefix)))); + set("accesspoints", value(".tmp.device") condition( host('MR' type(string) flags(ignore-case,prefix)))); + }; + + rewrite { + r_set_splunk_dest_default( + index('netfw') + source('cisco:meraki:${.tmp.device}') + sourcetype('cisco:meraki') + vendor("cisco") + product("meraki") + ); + }; + }; +}; + +application app-syslog-cisco_meraki[sc4s-syslog] { + filter { + ( + ( + host('MX' type(string) flags(ignore-case,prefix)) + or host('MS' type(string) flags(ignore-case,prefix)) + or host('MR' type(string) flags(ignore-case,prefix)) + ) + ) + and ( + ( + program('events' type(string)) + or program('urls' type(string)) + or program('firewall' type(string)) + or program('ids-alerts' type(string)) + or program('flows' type(string)) + ) + ) + }; + parser { app-syslog-cisco_meraki() }; +}; \ No newline at end of file diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index c7f73f3c1a..ce5adfb2a4 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -11,10 +11,133 @@ from .splunkutils import * from .timeutils import * +import pytest + env = Environment() + # Log samples from https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples +mx_test_data = [ + # MX events: vpn connectivity change + { + "template": "1380664922.583851938 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX events: uplink connectivity change + { + "template": "Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX events: dhcp no offers + { + "template": "Sep 11 16:12:41 192.168.10.1 1 1599865961.535491111 MX84 events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX events: dhcp lease + { + "template": "Sep 11 16:05:15 192.168.10.1 1 1599865515.687171503 MX84 events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", + "sourcetype": "cisco:meraki:securityappliances" + }, + # urls: HTTP GET requests + { + "template": "1374543213.342705328 MX84 urls src=192.168.1.186:63735 dst=69.58.188.40:80 mac=58:1F:AA:CE:61:F2 request: GET https://...", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX flows + { + "template": "1374543986.038687615 MX84 flows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX firewall + { + "template": "1374543986.038687615 MX84 firewall src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all", + "sourcetype": "cisco:meraki:securityappliances" + }, + # MX ids-alerts: ids signature matched + { + "template": "1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80", + "sourcetype": "cisco:meraki:securityappliances" + } +] + +ms_test_data = [ + # MS events: port status change + { + "template": "1379967288.409907239 MS220_8P events port 3 status changed from 100fdx to down", + "sourcetype": "cisco:meraki:switches" + }, + # MS events: blocked DHCP server response + { + "template": "1379988354.643337272 MS220_8P events Blocked DHCP server response from 78:FE:3D:90:7F:48 on VLAN 100", + "sourcetype": "cisco:meraki:switches" + } +] + +mr_test_data = [ + # MR events: 802.11 association + { + "template": "1380653443.857790533 MR18 events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'", + "sourcetype": "cisco:meraki:accesspoints" + }, + # MR events: WPA authentication + { + "template": "1380653443.857790533 MR18 events type=wpa_auth radio='0' vap='1' aid='1813578850'", + "sourcetype": "cisco:meraki:accesspoints" + }, + # MR events: splash authentication + { + "template": "1380653443.857790533 MR18 events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", + "sourcetype": "cisco:meraki:accesspoints" + }, + # MR flows: flow denied by Layer 3 firewall + { + "template": "1380653443.857790533 MR18 flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80", + "sourcetype": "cisco:meraki:accesspoints" + }, + # MR events: rogue SSID detected + { + "template": "airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'", + "sourcetype": "cisco:meraki:accesspoints" + } +] + +test_data = mx_test_data + ms_test_data + mr_test_data + + +@pytest.mark.parametrize("test_case", test_data) +def test_cisco_meraki_syslog_app( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, test_case +): + host = get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch_ms = epoch[:-3] + + mt = env.from_string( + "{{ mark }}1 {{ epoch }}123 {{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={{ epoch }} dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n" + ) + message = mt.render(mark="<134>", epoch=epoch, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch_ms }} index=netfw host="{{ host }}" sourcetype="meraki"' + ) + search = st.render(epoch_ms=epoch_ms, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + # <134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection -def test_cisco_meraki_security_event( +def test_cisco_meraki_vps_app( record_property, setup_wordlist, setup_splunk, setup_sc4s ): host = "testcm-{}-{}".format( @@ -45,7 +168,4 @@ def test_cisco_meraki_security_event( record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 - - -# <134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up + assert resultCount == 1 \ No newline at end of file From b38825006bd144d1adfe45c4d7e74030800609ce Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Fri, 11 Aug 2023 09:34:12 +0000 Subject: [PATCH 3/5] feat: add unit tests for app-syslog-cisco_meraki.conf --- docs/sources/vendor/Cisco/cisco_meraki.md | 32 +++-- .../syslog/app-syslog-cisco_meraki.conf | 5 +- tests/test_cisco_meraki.py | 115 ++++++++++-------- 3 files changed, 84 insertions(+), 68 deletions(-) diff --git a/docs/sources/vendor/Cisco/cisco_meraki.md b/docs/sources/vendor/Cisco/cisco_meraki.md index d34ddd32c0..f34f843461 100644 --- a/docs/sources/vendor/Cisco/cisco_meraki.md +++ b/docs/sources/vendor/Cisco/cisco_meraki.md @@ -1,20 +1,25 @@ ## Meraki (MR, MS, MX) ## Key facts -* For distinctive log messages filters are based on MSG Formats. -* Indistinctive log messages require vendor product by source configuration. +* In most cases, Cisco Meraki logs are general and require vendor product by source configuration. +* For distinctive log messages, filters are based on the appliance name and program value. ## Distinctive log messages See samples in the [vendor documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples). +The two conjuncted conditions are required: + +1. Program: `(events|urls|firewall|cellular_firewall|vpn_firewall|ids-alerts|flows)` + +2. Appliance name: + | Sourcetype | Distinct element | | --------- | -------------- | -| cisco:meraki:accesspoints | `program("MR" type(string) flags(prefix)) or message("airmarshal_events")` | -| cisco:meraki:securityappliances | `program("MX" type(string) flags(prefix)) or message("Site-to-site VPN"))` | -| cisco:meraki:switches | `program("MS" type(string) flags(prefix)` | +| meraki:accesspoints | `host('MR' type(string) flags(ignore-case,prefix))` | +| meraki:securityappliances | `host('MX' type(string) flags(ignore-case,prefix))` | +| meraki:switches | `host('MS' type(string) flags(ignore-case,prefix))` | - ## Links | Ref | Link | @@ -26,18 +31,19 @@ See samples in the [vendor documentation](https://documentation.meraki.com/Gener | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| cisco:meraki:accesspoints | MR (messages/roles: Event Log, URLs, and Flows) | -| cisco:meraki:securityappliances | MX (messages/roles: Event Log, IDS Alerts, URLs, and Flows) | -| cisco:meraki:switches | MS (messages/roles: Event Log) | +| meraki:accesspoints | MR | +| meraki:securityappliances | MX | +| meraki:switches | MS | +| meraki | vendor product by source configuration | ## Sourcetype and Index Configuration | key | sourcetype | index | notes | |----------------|----------------|----------------|----------------| -| cisco_meraki_accesspoints | cisco:meraki:accesspoints | netfw | Filtered on the message format | -| cisco_meraki_securityappliances | cisco:meraki:securityappliances | netfw | Filtered on the message format | -| cisco_meraki_switches | cisco:meraki:switches | netfw | Filtered on the message format | -| cisco_meraki | cisco:meraki | netfw | Filtered on vendor product by source configuration | +| cisco_meraki_accesspoints | meraki:accesspoints | netfw | Filtered on the message format | +| cisco_meraki_securityappliances | meraki:securityappliances | netfw | Filtered on the message format | +| cisco_meraki_switches | meraki:switches | netfw | Filtered on the message format | +| cisco_meraki | meraki | netfw | Filtered on vendor product by source configuration | ## Parser Configuration diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf index c254f28196..73e1d7dff6 100644 --- a/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cisco_meraki.conf @@ -11,9 +11,10 @@ block parser app-syslog-cisco_meraki() { r_set_splunk_dest_default( index('netfw') source('cisco:meraki:${.tmp.device}') - sourcetype('cisco:meraki') + sourcetype('meraki:${.tmp.device}') vendor("cisco") product("meraki") + class("${.tmp.device}") ); }; }; @@ -33,6 +34,8 @@ application app-syslog-cisco_meraki[sc4s-syslog] { program('events' type(string)) or program('urls' type(string)) or program('firewall' type(string)) + or program('cellular_firewall' type(string)) + or program('vpn_firewall' type(string)) or program('ids-alerts' type(string)) or program('flows' type(string)) ) diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index ce5adfb2a4..63dbacecc2 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -15,88 +15,94 @@ env = Environment() - # Log samples from https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples +# Log samples from https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples mx_test_data = [ # MX events: vpn connectivity change { - "template": "1380664922.583851938 MX84 events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='98.68.191.209:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'", - "sourcetype": "cisco:meraki:securityappliances" - }, - # MX events: uplink connectivity change - { - "template": "Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down", - "sourcetype": "cisco:meraki:securityappliances" - }, - # MX events: dhcp no offers - { - "template": "Sep 11 16:12:41 192.168.10.1 1 1599865961.535491111 MX84 events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", - "sourcetype": "cisco:meraki:securityappliances" - }, - # MX events: dhcp lease - { - "template": "Sep 11 16:05:15 192.168.10.1 1 1599865515.687171503 MX84 events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", - "sourcetype": "cisco:meraki:securityappliances" + "template": "{{ mark }} {{ epoch }} {{ host }} events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='1.1.1.1:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" }, + # # MX events: uplink connectivity change + # { + # "template": "Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down", + # "sourcetype": "meraki:securityappliances" + # }, + # # MX events: dhcp no offers + # { + # "template": "Sep 11 16:12:41 192.168.10.1 1 1599865961.535491111 MX84 events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", + # "sourcetype": "meraki:securityappliances" + # }, + # # MX events: dhcp lease + # { + # "template": "Sep 11 16:05:15 192.168.10.1 1 1599865515.687171503 MX84 events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", + # "sourcetype": "meraki:securityappliances" + # }, # urls: HTTP GET requests { - "template": "1374543213.342705328 MX84 urls src=192.168.1.186:63735 dst=69.58.188.40:80 mac=58:1F:AA:CE:61:F2 request: GET https://...", - "sourcetype": "cisco:meraki:securityappliances" + "template": "{{ mark }} {{ epoch }} {{ host }} urls src=1.1.1.1:63735 dst=1.1.1.1:80 mac=XX:XX:XX:XX:XX:XX request: GET https://...", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" }, # MX flows { - "template": "1374543986.038687615 MX84 flows src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all", - "sourcetype": "cisco:meraki:securityappliances" + "template": "{{ mark }} {{ epoch }} {{ host }} flows src=1.1.1.186 dst=8.8.8.8 mac=XX:XX:XX:XX:XX:XX protocol=udp sport=55719 dport=53 pattern: allow all", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" }, # MX firewall { - "template": "1374543986.038687615 MX84 firewall src=192.168.1.186 dst=8.8.8.8 mac=58:1F:AA:CE:61:F2 protocol=udp sport=55719 dport=53 pattern: allow all", - "sourcetype": "cisco:meraki:securityappliances" + "template": "{{ mark }} {{ epoch }} {{ host }} firewall src=1.1.1.186 dst=8.8.8.8 mac=XX:XX:XX:XX:XX:XX protocol=udp sport=55719 dport=53 pattern: allow all", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" }, # MX ids-alerts: ids signature matched { - "template": "1377449842.514782056 MX84 ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=74.125.140.132:80", - "sourcetype": "cisco:meraki:securityappliances" + "template": "{{ mark }} {{ epoch }} {{ host }} ids-alerts signature=129:4:1 priority=3 timestamp=1377449842.512569 direction=ingress protocol=tcp/ip src=1.1.1.1:80", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" } ] ms_test_data = [ # MS events: port status change { - "template": "1379967288.409907239 MS220_8P events port 3 status changed from 100fdx to down", - "sourcetype": "cisco:meraki:switches" + "template": "{{ mark }} {{ epoch }} {{ host }} events port 3 status changed from 100fdx to down", + "host_prefix": "MS", + "sourcetype": "meraki:switches" }, # MS events: blocked DHCP server response { - "template": "1379988354.643337272 MS220_8P events Blocked DHCP server response from 78:FE:3D:90:7F:48 on VLAN 100", - "sourcetype": "cisco:meraki:switches" + "template": "{{ mark }} {{ epoch }} {{ host }} events Blocked DHCP server response from XX:XX:XX:XX:XX:XX on VLAN 100", + "host_prefix": "MS", + "sourcetype": "meraki:switches" } ] mr_test_data = [ # MR events: 802.11 association { - "template": "1380653443.857790533 MR18 events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'", - "sourcetype": "cisco:meraki:accesspoints" + "template": "{{ mark }} {{ epoch }} {{ host }} events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'", + "host_prefix": "MR", + "sourcetype": "meraki:accesspoints" }, # MR events: WPA authentication { - "template": "1380653443.857790533 MR18 events type=wpa_auth radio='0' vap='1' aid='1813578850'", - "sourcetype": "cisco:meraki:accesspoints" + "template": "{{ mark }} {{ epoch }} {{ host }} events type=wpa_auth radio='0' vap='1' aid='1813578850'", + "host_prefix": "MR", + "sourcetype": "meraki:accesspoints" }, # MR events: splash authentication { - "template": "1380653443.857790533 MR18 events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", - "sourcetype": "cisco:meraki:accesspoints" + "template": "{{ mark }} {{ epoch }} {{ host }} events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", + "host_prefix": "MR", + "sourcetype": "meraki:accesspoints" }, # MR flows: flow denied by Layer 3 firewall { - "template": "1380653443.857790533 MR18 flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80", - "sourcetype": "cisco:meraki:accesspoints" - }, - # MR events: rogue SSID detected - { - "template": "airmarshal_events type= rogue_ssid_detected ssid='' bssid='02:18:5A:AE:56:00' src='02:18:5A:AE:56:00' dst='02:18:6A:13:09:D0' wired_mac='00:18:0A:AE:56:00' vlan_id='0' channel='157' rssi='21' fc_type='0' fc_subtype='5'", - "sourcetype": "cisco:meraki:accesspoints" + "template": "{{ mark }} {{ epoch }} {{ host }} flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80", + "host_prefix": "MR", + "sourcetype": "meraki:accesspoints" } ] @@ -105,27 +111,28 @@ @pytest.mark.parametrize("test_case", test_data) def test_cisco_meraki_syslog_app( - record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, test_case + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, test_case ): - host = get_host_key + model_number = random.randint(60, 200) + model_suffix = random.choice(["", "C", "CW", "W", "-HW", "W-HW"]) + host = f'{test_case["host_prefix"]}{model_number}{model_suffix}' - dt = datetime.datetime.now() + dt = datetime.datetime.now(datetime.timezone.utc) iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + epoch = epoch - # Tune time functions - epoch_ms = epoch[:-3] + meraki_format_epoch = epoch + "000" # "1691740392.147501" -> "1691740392.147501000" - mt = env.from_string( - "{{ mark }}1 {{ epoch }}123 {{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={{ epoch }} dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n" - ) - message = mt.render(mark="<134>", epoch=epoch, host=host) + mt = env.from_string(test_case["template"] + "\n") + message = mt.render(mark="<134>", epoch=meraki_format_epoch, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + epoch = dt.astimezone().strftime("%s.%f")[:-3] # -> "1691740392.147501" -> "1691740392.147" st = env.from_string( - 'search _time={{ epoch_ms }} index=netfw host="{{ host }}" sourcetype="meraki"' + 'search index=netfw _time={{ epoch }} sourcetype={{ sourcetype }} host={{ host }}' ) - search = st.render(epoch_ms=epoch_ms, host=host) + search = st.render( epoch=epoch, sourcetype=test_case["sourcetype"], host=host) resultCount, eventCount = splunk_single(setup_splunk, search) From 6440ffa2fd75984c000673fc814ae423697a2e65 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Fri, 11 Aug 2023 11:40:32 +0000 Subject: [PATCH 4/5] feat: add app-almost-syslog-cisco_meraki.conf --- .../app-almost-syslog-cisco_meraki.conf | 28 ++++++++++++++ tests/test_cisco_meraki.py | 38 +++++++++++-------- 2 files changed, 50 insertions(+), 16 deletions(-) create mode 100644 package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf new file mode 100644 index 0000000000..69ee78f9e8 --- /dev/null +++ b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_meraki.conf @@ -0,0 +1,28 @@ +rewrite set_rfc3164_cisco_meraki{ + set-tag("wireformat:rfc3164_cisco_meraki"); +}; + +block parser app-almost-syslog-cisco_meraki() { + channel { + parser { + regexp-parser( + prefix(".tmp.") + patterns('^(?\<\d+\>) ?(?[A-Z][a-z]{2} *\d{1,2} \d\d:\d\d:\d\d) (?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?\d) (?\d{10}\.\d{9}) (?.*)') + ); + date-parser( + format('%s.%f', '%s') + template("${.tmp.ts2}") + ); + syslog-parser( + flags(assume-utf8, guess-timezone) + template("${.tmp.pri} $S_ISODATE ${.tmp.message}") + ); + }; + rewrite(set_rfc); + rewrite(set_rfc3164); + rewrite(set_rfc3164_cisco_meraki); + }; +}; +application app-almost-syslog-cisco_meraki[sc4s-almost-syslog] { + parser { app-almost-syslog-cisco_meraki(); }; +}; diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index 63dbacecc2..b448da9ebe 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -23,21 +23,6 @@ "host_prefix": "MX", "sourcetype": "meraki:securityappliances" }, - # # MX events: uplink connectivity change - # { - # "template": "Dec 6 08:46:12 192.168.1.1 1 1386337584.254756845 MX84 events Cellular connection down", - # "sourcetype": "meraki:securityappliances" - # }, - # # MX events: dhcp no offers - # { - # "template": "Sep 11 16:12:41 192.168.10.1 1 1599865961.535491111 MX84 events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", - # "sourcetype": "meraki:securityappliances" - # }, - # # MX events: dhcp lease - # { - # "template": "Sep 11 16:05:15 192.168.10.1 1 1599865515.687171503 MX84 events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", - # "sourcetype": "meraki:securityappliances" - # }, # urls: HTTP GET requests { "template": "{{ mark }} {{ epoch }} {{ host }} urls src=1.1.1.1:63735 dst=1.1.1.1:80 mac=XX:XX:XX:XX:XX:XX request: GET https://...", @@ -106,7 +91,28 @@ } ] -test_data = mx_test_data + ms_test_data + mr_test_data +mx_almost_syslog_test_data = [ + # MX events: uplink connectivity change + { + "template": "{{ mark }} Dec 6 08:46:12 1.1.1.1 1 {{ epoch }} {{ host }} events Cellular connection down", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" + }, + # MX events: dhcp no offers + { + "template": "{{ mark }} Sep 11 16:12:41 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" + }, + # MX events: dhcp lease + { + "template": "{{ mark }} Sep 11 16:05:15 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", + "host_prefix": "MX", + "sourcetype": "meraki:securityappliances" + } +] + +test_data = mx_test_data + ms_test_data + mr_test_data + mx_almost_syslog_test_data @pytest.mark.parametrize("test_case", test_data) From e250fd960907756d82a4a8d2c35fb42873bfd0ec Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Fri, 11 Aug 2023 11:53:43 +0000 Subject: [PATCH 5/5] Fix: update unit tests --- tests/test_cisco_meraki.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index b448da9ebe..3481da9f5c 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -19,7 +19,7 @@ mx_test_data = [ # MX events: vpn connectivity change { - "template": "{{ mark }} {{ epoch }} {{ host }} events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='1.1.1.1:51856' peer_ident='2814ee002c075181bb1b7478ee073860' connectivity='false'", + "template": "{{ mark }} {{ epoch }} {{ host }} events type=vpn_connectivity_change vpn_type='site-to-site' peer_contact='1.1.1.1:51856' peer_ident='XXXXX' connectivity='false'", "host_prefix": "MX", "sourcetype": "meraki:securityappliances" }, @@ -67,25 +67,25 @@ mr_test_data = [ # MR events: 802.11 association { - "template": "{{ mark }} {{ epoch }} {{ host }} events type=association radio='0' vap='1' channel='6' rssi='23' aid='1813578850'", + "template": "{{ mark }} {{ epoch }} {{ host }} events type=association radio='0' vap='1' channel='6' rssi='23' aid='XXXXXX'", "host_prefix": "MR", "sourcetype": "meraki:accesspoints" }, # MR events: WPA authentication { - "template": "{{ mark }} {{ epoch }} {{ host }} events type=wpa_auth radio='0' vap='1' aid='1813578850'", + "template": "{{ mark }} {{ epoch }} {{ host }} events type=wpa_auth radio='0' vap='1' aid='XXXXXXX'", "host_prefix": "MR", "sourcetype": "meraki:accesspoints" }, # MR events: splash authentication { - "template": "{{ mark }} {{ epoch }} {{ host }} events type=splash_auth ip='10.87.195.250 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", + "template": "{{ mark }} {{ epoch }} {{ host }} events type=splash_auth ip='1.1.1.1 [More Information] ' duration='3600' vap='2' download='5242880bps' upload='5242880bps'", "host_prefix": "MR", "sourcetype": "meraki:accesspoints" }, # MR flows: flow denied by Layer 3 firewall { - "template": "{{ mark }} {{ epoch }} {{ host }} flows deny src=10.20.213.144 dst=192.168.111.5 mac=00:F4:B9:78:58:01 protocol=tcp sport=52421 dport=80", + "template": "{{ mark }} {{ epoch }} {{ host }} flows deny src=1.1.1.1 dst=1.1.1.1 mac=XX:XX:XX:XX:XX:XX protocol=tcp sport=52421 dport=80", "host_prefix": "MR", "sourcetype": "meraki:accesspoints" } @@ -100,13 +100,13 @@ }, # MX events: dhcp no offers { - "template": "{{ mark }} Sep 11 16:12:41 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp no offers for mac A4:83:E7:XX:XX:XX host = 192.168.10.1", + "template": "{{ mark }} Sep 11 16:12:41 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp no offers for mac XX:XX:XX:XX:XX:XX host = 1.1.1.1", "host_prefix": "MX", "sourcetype": "meraki:securityappliances" }, # MX events: dhcp lease { - "template": "{{ mark }} Sep 11 16:05:15 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp lease of ip 192.168.10.68 from server mac E0:CB:BC:0F:XX:XX for client mac 8C:16:45:XX:XX:XX from router 192.168.10.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", + "template": "{{ mark }} Sep 11 16:05:15 1.1.1.1 1 {{ epoch }} {{ host }} events dhcp lease of ip 1.1.1.1 from server mac XX:XX:XX:XX:XX:XX for client mac XX:XX:XX:XX:XX:XX from router 1.1.1.1 on subnet 255.255.255.0 with dns 8.8.8.8, 8.8.4.4", "host_prefix": "MX", "sourcetype": "meraki:securityappliances" } @@ -125,7 +125,6 @@ def test_cisco_meraki_syslog_app( dt = datetime.datetime.now(datetime.timezone.utc) iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - epoch = epoch meraki_format_epoch = epoch + "000" # "1691740392.147501" -> "1691740392.147501000"