From 32276aa2de4f17df4f460ee7ccd6494280468391 Mon Sep 17 00:00:00 2001 From: Thomas <1869080+ThoZed@users.noreply.github.com> Date: Tue, 19 Jun 2018 18:26:49 +0200 Subject: [PATCH] Extractor for 1600-0065 --- LookupTables/fireware_msg_id_lookup_table.csv | 1 + content_pack_input.json | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/LookupTables/fireware_msg_id_lookup_table.csv b/LookupTables/fireware_msg_id_lookup_table.csv index d659f12..8745077 100644 --- a/LookupTables/fireware_msg_id_lookup_table.csv +++ b/LookupTables/fireware_msg_id_lookup_table.csv @@ -574,3 +574,4 @@ "7001-0009","INFO","Mobile Security / Endpoint Manager","Mobile device user session recreated","User session is recreated because the mobile device IP address changed." "7002-0000","INFO","Mobile Security / Endpoint Manager","Mobile device Authorization Agreement sign action","The Device Authorization Agreement is either accepted or declined by a user at the specified local time." "1600-0065","INFO","Networking / DHCP Server","DHCP Message","DHCP related Messages generated by builtin DHCP-Server" +"1600-0066","INFO","Networking / DHCP Server","DHCP Message","DHCP related Messages generated by builtin DHCP-Server" diff --git a/content_pack_input.json b/content_pack_input.json index 84609d4..ef6dd8b 100644 --- a/content_pack_input.json +++ b/content_pack_input.json @@ -138,7 +138,7 @@ "converters": [], "condition_type": "NONE", "condition_value": "", - "order": 13 + "order": 14 }, { "title": "Firewall PacketFilter INFO 3000-0148", "type": "GROK", @@ -204,6 +204,19 @@ "condition_type": "REGEX", "condition_value": "^.*msg_id=\"1600-0065\".*", "order": 12 + }, { + "title": "Networking DHCP INFO 1600-0066", + "type": "GROK", + "cursor_strategy": "COPY", + "target_field": "", + "source_field": "message", + "configuration": { + "grok_pattern": "^.*\\) %{NOTSPACE:service}\\[%{NOTSPACE:process}\\]: msg_id=\"1600-0066\" %{DHCPMESSAGE:dhcp_message} (from|(for %{IPV4:dhcp_clientip}|for %{IPV4:dhcp_clientip} \\(%{IPV4:dhcp_serverip}\\)) from) %{MAC:dhcp_clientmac} (via|\\(%{NOTSPACE:dhcp_clientname}\\) via) vlan%{NUMBER:dhcp_clientvlan}" + }, + "converters": [], + "condition_type": "REGEX", + "condition_value": "^.*msg_id=\"1600-0066\".*", + "order": 13 } ] }],