Hi,
i am Developing an app for integrating arbor pravail ddos logs. Extracted the fields and mapped to CIM. but when i am trying to access from security app dashboard, no reports are shown.
sample log
Oct 2 04:05:32 10.1.1.1 ddos pravail: Blocked Host: Blocked host 192.168.1.1 at 04:05 by TLS Attack Prevention using TCP/443 (HTTPS) destination 172.16.1.1 URL: https://internalurl
props.conf
[arbor_test]
EXTRACT-category = (?i)^(?:[^ ]* ){5}(?P[^ ]+)
EXTRACT-dest = (?i) destination (?P[^,]+)
EXTRACT-dvc = (?i)^(?:[^ ]* ){4}(?P[^ ]+)
EXTRACT-signature = (?i) by (?P\w+\s+\w+)
EXTRACT-src = (?i) host (?P[^ ]+)
EXTRACT-action = (?i) .*?: (?P\w+)(?= )
EXTRACT-dest_port = (?i) .*?/(?P\d+)(?= )
EXTRACT-url = (?i),URL: (?P.+)
EXTRACT-arbor_signature = (?i) by (?P.+?)\s+\w+\s+\d+
LOOKUP-vendor_info_for_arbor_test = arbor_test_vendor_info_lookup.csv sourcetype OUTPUT ids_type,vendor,product,severity
Eventtype
[arbor_test]
search = sourcetype=arbor_test
Tags
[eventtype=arbor_test]
attack = enabled
ids = enabled
network = enabled
communicate = enabled
Lookup
sourcetype vendor product ids_type severity
arbor_test arbor IPS network critical
Inputs are welcome.
Sididqu.T
You need a metadata
directory with a default.meta
file that has this in it:
[]
access = read : [ * ], write : [ admin ]
export = system
NETSCOUT Arbor has released an official Splunk Technical Add-On for NETSCOUT Arbor Edge Defense, also for Availability Protection System. Both of these projects were formerly known as Pravail.
NETSCOUT Arbor has released an official Splunk Technical Add-On for NETSCOUT Arbor Edge Defense, also for Availability Protection System. Both of these projects were formerly known as Pravail.
https://github.com/arbor/TA_netscout_aed
,NETSCOUT Arbor has posted an official Splunk Technical Add-On for NETSCOUT Arbor Edge Defense, also Availability Protection System, both formerly known as Pravail.
I was looking at the same today. To Ayn's point about adding in the field name, I made a few changes (in props.conf) and slightly changed another thing or two. It seems to be working well thus far.
[arbor_test]
EXTRACT-Extract src_port = (?i) source port (?P<src_port>\d+)
EXTRACT-category = (?i)^(?:[^ ]* ){5}(?P<category>[^ ]+)
EXTRACT-dest_ip = (?i) destination (?P<dest_ip>[^ ]+)
EXTRACT-signature = (?i) by (?P<signature>\w+\s+\w+)
EXTRACT-src_ip = (?i) host (?P<src_ip>[^ ]+)
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EXTRACT-dest_port = (?i) .*?/(?P<dest_port>\d+)(?= )
EXTRACT-url = (?i),URL: (?P<url>.+)
EXTRACT-arbor_signature = (?i) by (?P<arbor_signature>.+?)\s+\w+\s+\d+
Sididqu;
Have you completed this app?
I too am looking for possible Arbor Pravail integration...
Thank you.
@masiddiqu Out of curiousity, have you made any headway with your development? Thanks!
I don't see any capture group names in your EXTRACT statements. When you extract fields using EXTRACT, you need to include what field name the matching text should be written to, like this:
EXTRACT-foo = (?<somefield>matchingtext)
The text after EXTRACT (in this case "foo") is not the field name, it's just a unique identifier for your EXTRACT statement.