NetWitness Community

RenatoGoncalves · ‎2017-12-27

Hello

I need to parse a firewall log but every time i parse it NW doesn't give me any useful results

This is the parser:

device="SFW" date=2017-01-01 time=13:36:34 timezone="WET" device_name="things" device_id=AA203100004445 log_id=010101600001 log_type="Firewall" l
og_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=300 fw_rule_id=02 policy_type=1 user_name="anonimo@sapo.pt"
user_gp="utilizadores" iap=66 ips_policy_id=7 appfilter_policy_id=8 application="Secure Socket Layer Protocol"
application_risk=10 application_technology="Network Protocol" application_category="Infrastructure" in_interface="" out_interface="WAN" src_mac=00: 0:00: 0:00: 0
src_ip=10.000.000.00 src_country_code=A1 dst_ip=200.00.000.111 dst_country_code=USA protocol="TCP" src_port=12345 dst_port=123 sent_pkts=66 recv_pkts=66 sent_bytes=6666
recv_bytes=6666 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2183694848" vconnid="" hb_health="No Heartbeat"

Im using NW LPT1.0

EricPartington · ‎2018-01-04

Cyberoam Knowledge Base

yup, format matches this... interesting... lets see what we can do

JoshRandall · ‎2018-01-04

Renato, I've created a parser for the Firewall events you pasted using SFW as the header ID - this should get you most of the way towards your goal and help as a base to create message IDs for additional events, such as the "Content Filtering" log.

You can also modify the fields I chose for the Firewall event to be more applicable to your environment,.

Mr. Mongo

RenatoGoncalves · ‎2018-01-05

Hello Joshua,

Many thanks for that. I was a bit different of the one i built...let's hope that this time we can achieve sucess.

I already creat one to the Content Filtering Log...based on the one you sent me.

Once again,

Thanks

RenatoGoncalves · ‎2018-01-18

Can anyone tell me how many messages can i create in the parser?

I made 5 or 6 and one of the messages doesnt get parsed in NW.

DaveGlover · ‎2018-01-18

Renato

I am looking at the logs you show vs the ones that are in the UI. When you exported to logs did you do it as 'text'?

That is the only way that works with the LPT.

As far as how many messages you can define? Its basically unlimited.

Dave

RenatoGoncalves · ‎2018-01-18

Hello Dave,

Yes i exported has text. And to be honest the one that i shared are working after the help of Joshua.

But in the log of that firewall that are some that aren't, like this one:

device="SFW" date=2018-01-17 time=16:35:57 timezone="WET" device_name="CR200iNG" device_id=C203143log_id=0309062 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=10 user_name="anything@something.com" iap=18 av_policy_name="" virus="Sandstorm" url="http://apps.abc/anything/alerts.zip" domainname="apps" src_ip=192.000.000.000 src_country_code=R1 dst_ip=192.000.000.001 dst_country_code=R1 protocol="TCP" src_port=51111 dst_port=0080 sent_bytes=0 recv_bytes=333

and has you can see in the picture it has been parsed. Captura de ecrã de 2018-01-18 12-11-39.png

Thanks in advance for the help

DaveGlover · ‎2018-01-18

Do you mean the red dots? If so then that is ok, its just the way some things are written..

The red indicates no header nor message, as I would expect with an empty line

RenatoGoncalves · ‎2018-01-18

I mean the green ones.

The log i copied above the picture its one of those two with green dots

DaveGlover · ‎2018-01-18

do you mind if we take this over email so I can get a bit more info?

dave dot glover at rsa dot com

RenatoGoncalves · ‎2018-01-18

Don't mind at all...

Already sent the email

NetWitness Community

Parsing a Firewall Log