Greetings, I am trying to write a regex but am not successful as of yet. I am trying to match the:
Bot: Mariposa Command and Control
Suspicious user-agent strings
Kelihos.Gen Command And Control Traffic
from these logs:
Dec 12 15:08:55 ngf01.ourdomain.com 1,2013/12/12 15:08:55,0009C101128,THREAT,spyware,1,2013/12/12 15:08:49,192.155.89.148,10.17.41.22,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-udp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:08:55,1821341,1,7006,2059,0,0,0x80004000,udp,alert,"",Bot: Mariposa Command and Control(12652),any,critical,server-to-client,14479581293,0x0,United States,10.0.0.0-10.255.255.255,0,
Dec 12 14:42:37 ngf01.ourdomain.com 1,2013/12/12 14:42:37,0009C101128,THREAT,spyware,1,2013/12/12 14:42:31,82.80.204.14,10.33.112.112,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 14:42:36,2034205,1,80,52924,0,0,0x80004000,tcp,alert,"ceb.aspx",Suspicious user-agent strings(10004),any,medium,server-to-client,14477791661,0x0,Israel,10.0.0.0-10.255.255.255,0,
Dec 12 15:05:59 ngf01.ourdomain.com 1,2013/12/12 15:05:59,0009C101128,THREAT,spyware,1,2013/12/12 15:05:54,211.120.150.217,10.17.31.175,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-tcp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:05:59,1312191,1,80,2091,0,0,0x80004000,tcp,alert,"",Kelihos.Gen Command And Control Traffic(13390),any,critical,server-to-client,14479382956,0x0,Japan,10.0.0.0-10.255.255.255,0,
Any help would be greatly appreciated!
Dave
Ugh, I think I can pull this out now. So PAN looks to the 5 digit code after the threat: 12652, 10004, 13390 (from above) and then looks up that code in a lookup to come up with the name of the threat.
I think I can take it from here. Thanks alacercogitatus for pointing me in the right direction.
Ugh, I think I can pull this out now. So PAN looks to the 5 digit code after the threat: 12652, 10004, 13390 (from above) and then looks up that code in a lookup to come up with the name of the threat.
I think I can take it from here. Thanks alacercogitatus for pointing me in the right direction.
OK, so the PAN app has it, how do I find the regex or how it defines the "threat_id" field from the app?
It is coming from a Palo Alto 5050. I am now looking through the PAN app. Thanks.
Where are the logs coming from? There might be an exisiting TA to handle extractions.