IPS Alert Log for ICMP
"CEF:0|HP|XXXX|1.2.1.0000|79|ICMP: Echo Reply|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000000079 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000000079 cs3Label=Signature UUID proto=ICMP src=192.168.1.1 dst=10.0.0.201 start=Feb 25 2016 14:39:28+0000 cnt=1 deviceInboundInterface=ethernet1 deviceOutboundInterface=ethernet2 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053171245265\n"
IPS Alert Log for TCP
"CEF:0|HP|XXXX|1.2.1.0000|16538|TCP: OpenSSL ClientHello Message|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000016538 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000016538 cs3Label=Signature UUID proto=TCP src=192.168.1.1 spt=31964 dst=10.0.0.201 dpt=50707 start=Feb 25 2016 14:37:53+0000 cnt=1 deviceInboundInterface=ethernet2 deviceOutboundInterface=ethernet1 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053037030539"
IPS Alert Log for HTTP
"CEF:0|HP|XXXX|1.2.1.0000|17084|HTTP: Compressed File Download|1|dvchost=NGFW.IPS dvc=10.0.0.101 cat=IpsAlert deviceFacility=IPS act=Permit cs2=00000002-0002-0002-0002-000000017084 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000017084 cs3Label=Signature UUID src=192.168.1.1 spt=20480 dst=10.0.0.201 dpt=54465 start=Feb 25 2016 14:36:26+0000 cnt=1 deviceInboundInterface=ethernet2 deviceOutboundInterface=ethernet1 cs1=20000 cs1Label=Rule cs5=Default IPS Profile cs5Label=Inspection Profile externalId=1317822437469935396918053171251576"
filter {
# Filter only CEF logs here
if [type] == "CEF" {
# Manipulate the message
mutate {
# Saved the original message into a temporary field
add_field => { "tmp_message" => "%{message}" }
# splits message on the "|" and has index numbers
split => ["message", "|"]
# generate fields for the CEF header
add_field => { "cef_version" => "%{message[0]}" }
add_field => { "cef_device_vendor" => "%{message[1]}" }
add_field => { "cef_device_product" => "%{message[2]}" }
add_field => { "cef_device_version" => "%{message[3]}" }
add_field => { "cef_sig_id" => "%{message[4]}" }
add_field => { "cef_sig_name" => "%{message[5]}" }
add_field => { "cef_sig_severity" => "%{message[6]}" }
}
# Parse the message with field=value formats
kv {
# Note: values with spaces are lost (still getting there)
field_split => " "
trimkey => "<>\[\], "
trim => "<>\[\],"
# Only included the fields which are of interest (dont need everything)
include_keys => ["cat","act","proto","dst","dpt","src","spt"]
}
mutate {
# Rename fields to cef_field_names
rename => [ "cat", "cef_traffic_category"]
rename => [ "act", "cef_traffic_action"]
rename => [ "proto", "cef_traffic_proto"]
rename => [ "dst", "cef_traffic_dst_ip"]
rename => [ "dpt", "cef_traffic_dst_port"]
rename => [ "src", "cef_traffic_src_ip"]
rename => [ "spt", "cef_traffic_src_port"]
# Revert original message and remove temporary field
replace => { "message" => "%{tmp_message}" }
remove_field => [ "tmp_message" ]
}
}
}
# Logstash JSON Output for ICMP Alerts
"message": "CEF:0,HP,XXXX,1.2.1.0000,79,ICMP: Echo Reply,1,dvchost=NGFW.IPS <snipped>
"@version": "1",
"@timestamp": "2016-02-25T10:40:32.103Z",
"type": "syslog",
"host": "10.0.0.101 ",
"priority": 13,
"timestamp8601": "2016-02-25T10:40:32.103+00:00",
"logsource": "NGFW",
"program": "NGFW",
"severity": 5,
"facility": 1,
"timestamp": "2016-02-25T10:40:32.103+00:00",
"facility_label": "user-level",
"severity_label": "Notice",
"index_name": "ngfw",
"cef_version": "CEF:0",
"cef_device_vendor": "HP",
"cef_device_product": "XXXX",
"cef_device_version": "1.2.1.0000",
"cef_sig_id": "79",
"cef_sig_name": "ICMP: Echo Reply",
"cef_sig_severity": "1",
"cef_traffic_category": "IpsAlert",
"cef_traffic_action": "Permit",
"cef_traffic_proto": "ICMP",
"cef_traffic_dst_ip": "10.0.0.201",
"cef_traffic_src_ip": "192.168.1.1"
# Logstash JSON Output for TCP Alerts
"message": "CEF:0,HP,XXXX,1.2.1.0000,16538,TCP: OpenSSL ClientHello Message,1,dvchost=NGFW.IPS <snipped>
"@version": "1",
"@timestamp": "2016-02-25T10:40:55.408Z",
"type": "syslog",
"host": "10.0.0.101 ",
"priority": 13,
"timestamp8601": "2016-02-25T10:40:55.408+00:00",
"logsource": "NGFW",
"program": "NGFW",
"severity": 5,
"facility": 1,
"timestamp": "2016-02-25T10:40:55.408+00:00",
"facility_label": "user-level",
"severity_label": "Notice",
"index_name": "ngfw",
"cef_version": "CEF:0",
"cef_device_vendor": "HP",
"cef_device_product": "XXXX",
"cef_device_version": "1.2.1.0000",
"cef_sig_id": "16538",
"cef_sig_name": "TCP: OpenSSL ClientHello Message",
"cef_sig_severity": "1",
"cef_traffic_category": "IpsAlert",
"cef_traffic_action": "Permit",
"cef_traffic_proto": "TCP",
"cef_traffic_dst_ip": "10.0.0.201",
"cef_traffic_dst_port": "50707",
"cef_traffic_src_ip": "192.168.1.1",
"cef_traffic_src_port": "31964"
# Logstash JSON Output for HTTP Alerts
"message": "CEF:0,HP,XXXX,1.2.1.0000,17084,HTTP: Compressed File Download,1,dvchost=NGFW.IPS dvc=10.0.0.101 <snipped>
"@version": "1",
"@timestamp": "2016-02-25T10:41:26.106Z",
"type": "syslog",
"host": "10.0.0.101 ",
"priority": 13,
"timestamp8601": "2016-02-25T10:41:26.106+00:00",
"logsource": "NGFW",
"program": "NGFW",
"severity": 5,
"facility": 1,
"timestamp": "2016-02-25T10:41:26.106+00:00",
"facility_label": "user-level",
"severity_label": "Notice",
"index_name": "ngfw",
"cef_version": "CEF:0",
"cef_device_vendor": "HP",
"cef_device_product": "XXXX",
"cef_device_version": "1.2.1.0000",
"cef_sig_id": "17084",
"cef_sig_name": "HTTP: Compressed File Download",
"cef_sig_severity": "1",
"cef_traffic_category": "IpsAlert",
"cef_traffic_action": "Permit",
"cef_traffic_dst_ip": "10.0.0.201",
"cef_traffic_dst_port": "54465",
"cef_traffic_src_ip": "192.168.1.1",
"cef_traffic_src_port": "20480"