From cdf457fbc59ea3d52ed315fbadd252d9c80fb334 Mon Sep 17 00:00:00 2001 From: "Zane C. Bowers-Hadley" Date: Mon, 25 Apr 2022 20:30:49 -0500 Subject: [PATCH] add Suricata monitoring (#13942) * add poller * add a generic alert graph * add support for .total * add the initial work on the suricata app page * add applayer flow sources * more rrd work and add more fields * add a missing graph to the suricata page * add suricata to the apps page * all working now for suricata * add some suricata alert examples * all done with the php * update the application docs for Suricata * add another note about Suricata stats in the docs * add the test file * add the test JSON * remove a unneeded newline from the appication docs * correct the type uptime type * packets graph should by packets/sec * minor formatting cleanup * one more minor formatting cleanup * shot in the dark to see if something fixes the angry linter * fix snmpsim file * add metrics * add values to the metrics * add a missing comma to the json * add a missing line to snmprec and cleanup json a bit * a few more minor changes to see if this makes it happy... regened via scripts/json-app-tool.php * see if this will make it happy * add suricata to app discovery and hope that fixes it... take a shot in the dark as to why the linter errors strangely on two of the files * fix json * add a missing ] to the json * rename two graphs so it does not trigger one alert and add a missing metric * whoops, *_alertString is not a metric --- doc/Extensions/Applications.md | 31 + includes/discovery/applications.inc.php | 1 + includes/html/functions.inc.php | 27 + .../graphs/application/suricata_alert.inc.php | 29 + .../application/suricata_app_flows.inc.php | 154 ++ .../application/suricata_app_tx.inc.php | 144 ++ .../graphs/application/suricata_bytes.inc.php | 29 + .../application/suricata_dec_proto.inc.php | 114 ++ .../application/suricata_flow_proto.inc.php | 44 + .../application/suricata_mem_use.inc.php | 49 + .../application/suricata_nasty_delta.inc.php | 49 + .../suricata_nasty_percent.inc.php | 39 + .../application/suricata_packets.inc.php | 44 + .../application/suricata_uptime.inc.php | 29 + includes/html/pages/apps.inc.php | 12 + .../html/pages/device/apps/suricata.inc.php | 73 + .../polling/applications/suricata.inc.php | 219 +++ misc/alert_rules.json | 45 + tests/data/linux_suricata-v1.json | 1260 +++++++++++++++++ tests/snmpsim/linux_suricata-v1.snmprec | 10 + 20 files changed, 2402 insertions(+) create mode 100644 includes/html/graphs/application/suricata_alert.inc.php create mode 100644 includes/html/graphs/application/suricata_app_flows.inc.php create mode 100644 includes/html/graphs/application/suricata_app_tx.inc.php create mode 100644 includes/html/graphs/application/suricata_bytes.inc.php create mode 100644 includes/html/graphs/application/suricata_dec_proto.inc.php create mode 100644 includes/html/graphs/application/suricata_flow_proto.inc.php create mode 100644 includes/html/graphs/application/suricata_mem_use.inc.php create mode 100644 includes/html/graphs/application/suricata_nasty_delta.inc.php create mode 100644 includes/html/graphs/application/suricata_nasty_percent.inc.php create mode 100644 includes/html/graphs/application/suricata_packets.inc.php create mode 100644 includes/html/graphs/application/suricata_uptime.inc.php create mode 100644 includes/html/pages/device/apps/suricata.inc.php create mode 100644 includes/polling/applications/suricata.inc.php create mode 100644 tests/data/linux_suricata-v1.json create mode 100644 tests/snmpsim/linux_suricata-v1.snmprec diff --git a/doc/Extensions/Applications.md b/doc/Extensions/Applications.md index a22f0d05546c..96cb8f4ddf0e 100644 --- a/doc/Extensions/Applications.md +++ b/doc/Extensions/Applications.md @@ -2152,6 +2152,37 @@ extend supervisord /etc/snmp/supervisord.py systemctl restart snmpd ``` +## Suricata + +### SNMP Extend + +1. Install the extend. +``` +cpanm Suricata::Monitoring +``` + +2. Setup cron. Below is a example. +``` +*/5 * * * * /usr/local/bin/suricata_stat_check > /dev/null +``` + +3. Configure snmpd.conf +``` +extend suricata-stats /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin suricata_stat_check -c +``` + +4. Restart snmpd on your system. + +You will want to make sure Suricata is set to output the stats +to the eve file once a minute. This will help make sure that +it won't be to far back in the file and will make sure it is +recent when the cronjob runs. + +Any configuration of suricata_stat_check should be done in the cron +setup. If the default does not work, check the docs for it at +[MetaCPAN for +suricata_stat_check](https://metacpan.org/dist/Suricata-Monitoring/view/bin/suricata_stat_check) + ## TinyDNS aka djbdns ### Agent diff --git a/includes/discovery/applications.inc.php b/includes/discovery/applications.inc.php index b0c5a863a224..e2e4942c5ba7 100644 --- a/includes/discovery/applications.inc.php +++ b/includes/discovery/applications.inc.php @@ -46,6 +46,7 @@ $applications['osupdate'] = 'os-updates'; $applications['phpfpmsp'] = 'php-fpm'; $applications['postfixdetailed'] = 'postfix'; + $applications['suricata-stats'] = 'suricata'; } d_echo(PHP_EOL . 'Available: ' . implode(', ', array_keys($applications)) . PHP_EOL); diff --git a/includes/html/functions.inc.php b/includes/html/functions.inc.php index 0f736a5b4731..24d619503de5 100644 --- a/includes/html/functions.inc.php +++ b/includes/html/functions.inc.php @@ -1324,6 +1324,33 @@ function get_sensor_label_color($sensor, $type = 'sensors') return "" . trim(Number::formatSi($sensor['sensor_current'], 2, 3, $unit)) . ''; } +/** + * Returns a list of the various suricata instances for + * the specified device id. + * + * @param $device_id + * @return array + */ +function get_suricata_instances($device_id) +{ + $options = [ + 'filter' => [ + 'type' => ['=', 'suricata'], + ], + ]; + + $component = new LibreNMS\Component(); + $ourc = $component->getComponents($device_id, $options); + + if (isset($ourc[$device_id])) { + $id = $component->getFirstComponentID($ourc, $device_id); + + return json_decode($ourc[$device_id][$id]['instances']); + } + + return []; +} + /** * @params int unix time * @params int seconds diff --git a/includes/html/graphs/application/suricata_alert.inc.php b/includes/html/graphs/application/suricata_alert.inc.php new file mode 100644 index 000000000000..31b9ba13c353 --- /dev/null +++ b/includes/html/graphs/application/suricata_alert.inc.php @@ -0,0 +1,29 @@ + $rrd_filename, + 'descr' => 'Alert Status', + 'ds' => 'alert', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_app_flows.inc.php b/includes/html/graphs/application/suricata_app_flows.inc.php new file mode 100644 index 000000000000..a392d8a1a794 --- /dev/null +++ b/includes/html/graphs/application/suricata_app_flows.inc.php @@ -0,0 +1,154 @@ + $rrd_filename, + 'descr' => 'DCERPC TCP', + 'ds' => 'af_dcerpc_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DCERPC UDP', + 'ds' => 'af_dcerpc_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DHCP', + 'ds' => 'af_dhcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DNS TCP', + 'ds' => 'af_dns_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DNS UDP', + 'ds' => 'af_dns_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Failed TCP', + 'ds' => 'af_failed_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Failed UDP', + 'ds' => 'af_failed_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'FTP', + 'ds' => 'af_ftp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'FTP-DATA', + 'ds' => 'af_ftp_data', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'HTTP', + 'ds' => 'af_http', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IKEv2', + 'ds' => 'af_ikev2', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IMAP', + 'ds' => 'af_imap', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Krb5 TCP', + 'ds' => 'af_krb5_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Krb5 UDP', + 'ds' => 'af_krb5_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'MQTT', + 'ds' => 'af_mqtt', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'NFS TCP', + 'ds' => 'af_nfs_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'NFS UDP', + 'ds' => 'af_nfs_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'RDP', + 'ds' => 'af_rdp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'RFB', + 'ds' => 'af_rfb', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SIP', + 'ds' => 'af_sip', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SMB', + 'ds' => 'af_smb', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SMTP', + 'ds' => 'af_smtp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SNMP', + 'ds' => 'af_snmp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'ssh', + 'ds' => 'af_ssh', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TFTP', + 'ds' => 'af_tftp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TLS', + 'ds' => 'af_tls', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_app_tx.inc.php b/includes/html/graphs/application/suricata_app_tx.inc.php new file mode 100644 index 000000000000..4550e45591c5 --- /dev/null +++ b/includes/html/graphs/application/suricata_app_tx.inc.php @@ -0,0 +1,144 @@ + $rrd_filename, + 'descr' => 'DCERPC TCP', + 'ds' => 'at_dcerpc_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DCERPC UDP', + 'ds' => 'at_dcerpc_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DHCP', + 'ds' => 'at_dhcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DNS TCP', + 'ds' => 'at_dns_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'DNS UDP', + 'ds' => 'at_dns_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'FTP', + 'ds' => 'at_ftp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'FTP-DATA', + 'ds' => 'at_ftp_data', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'HTTP', + 'ds' => 'at_http', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IKEv2', + 'ds' => 'at_ikev2', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IMAP', + 'ds' => 'at_imap', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Krb5 TCP', + 'ds' => 'at_krb5_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Krb5 UDP', + 'ds' => 'at_krb5_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'MQTT', + 'ds' => 'at_mqtt', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'NFS TCP', + 'ds' => 'at_nfs_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'NFS UDP', + 'ds' => 'at_nfs_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'RDP', + 'ds' => 'at_rdp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'RFB', + 'ds' => 'at_rfb', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SIP', + 'ds' => 'at_sip', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SMB', + 'ds' => 'at_smb', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SMTP', + 'ds' => 'at_smtp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SNMP', + 'ds' => 'at_snmp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'ssh', + 'ds' => 'at_ssh', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TFTP', + 'ds' => 'at_tftp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TLS', + 'ds' => 'at_tls', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_bytes.inc.php b/includes/html/graphs/application/suricata_bytes.inc.php new file mode 100644 index 000000000000..27dc675f68c5 --- /dev/null +++ b/includes/html/graphs/application/suricata_bytes.inc.php @@ -0,0 +1,29 @@ + $rrd_filename, + 'descr' => 'Bytes', + 'ds' => 'bytes', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_dec_proto.inc.php b/includes/html/graphs/application/suricata_dec_proto.inc.php new file mode 100644 index 000000000000..927912cf219c --- /dev/null +++ b/includes/html/graphs/application/suricata_dec_proto.inc.php @@ -0,0 +1,114 @@ + $rrd_filename, + 'descr' => 'IPv4', + 'ds' => 'dec_ipv4', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IPv6', + 'ds' => 'dec_ipv6', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TCP', + 'ds' => 'dec_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'UDP', + 'ds' => 'dec_udp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SCTP', + 'ds' => 'dec_sctp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'CHDLC', + 'ds' => 'dec_chdlc', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'GENEVE', + 'ds' => 'dec_geneve', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IEEE 802.1ah', + 'ds' => 'dec_ieee8021ah', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IPv4 in IPv6', + 'ds' => 'dec_ipv4_in_ipv6', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'MPLS', + 'ds' => 'dec_mpls', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'PPP', + 'ds' => 'dec_ppp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'PPPoE', + 'ds' => 'dec_pppoe', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'SLL', + 'ds' => 'dec_sll', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Teredo', + 'ds' => 'dec_teredo', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'VLAN', + 'ds' => 'dec_vlan', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'VLAN Q-in-Q', + 'ds' => 'dec_vlan_qinq', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'VNTAG', + 'ds' => 'dec_vntag', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'VXLAN', + 'ds' => 'dec_vxlan', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_flow_proto.inc.php b/includes/html/graphs/application/suricata_flow_proto.inc.php new file mode 100644 index 000000000000..80acfe3678f6 --- /dev/null +++ b/includes/html/graphs/application/suricata_flow_proto.inc.php @@ -0,0 +1,44 @@ + $rrd_filename, + 'descr' => 'ICMPv4', + 'ds' => 'f_icmpv4', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'ICMPv6', + 'ds' => 'f_icmpv6', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TCP', + 'ds' => 'f_tcp', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'UDP', + 'ds' => 'f_udp', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_mem_use.inc.php b/includes/html/graphs/application/suricata_mem_use.inc.php new file mode 100644 index 000000000000..2446c517574d --- /dev/null +++ b/includes/html/graphs/application/suricata_mem_use.inc.php @@ -0,0 +1,49 @@ + $rrd_filename, + 'descr' => 'Flow', + 'ds' => 'f_memuse', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'FTP', + 'ds' => 'ftp_memuse', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'HTTP', + 'ds' => 'http_memuse', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TCP', + 'ds' => 'tcp_memuse', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'TCP Reass', + 'ds' => 'tcp_reass_memuse', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_nasty_delta.inc.php b/includes/html/graphs/application/suricata_nasty_delta.inc.php new file mode 100644 index 000000000000..8bb86c328f83 --- /dev/null +++ b/includes/html/graphs/application/suricata_nasty_delta.inc.php @@ -0,0 +1,49 @@ + $rrd_filename, + 'descr' => 'Dropped', + 'ds' => 'dropped', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'IfDropped', + 'ds' => 'ifdropped', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Errors', + 'ds' => 'errors', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Dec_Invalid', + 'ds' => 'dec_invalid', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Too_Many_Layers', + 'ds' => 'dec_too_many_layer', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_nasty_percent.inc.php b/includes/html/graphs/application/suricata_nasty_percent.inc.php new file mode 100644 index 000000000000..3acc65f533da --- /dev/null +++ b/includes/html/graphs/application/suricata_nasty_percent.inc.php @@ -0,0 +1,39 @@ + $rrd_filename, + 'descr' => 'Dropped', + 'ds' => 'drop_percent', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'If_Dropped', + 'ds' => 'ifdrop_percent', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Error', + 'ds' => 'error_percent', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_packets.inc.php b/includes/html/graphs/application/suricata_packets.inc.php new file mode 100644 index 000000000000..ad07fd7ef2be --- /dev/null +++ b/includes/html/graphs/application/suricata_packets.inc.php @@ -0,0 +1,44 @@ + $rrd_filename, + 'descr' => 'Packets', + 'ds' => 'packets', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Dec. Packets', + 'ds' => 'dec_packets', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'Dropped', + 'ds' => 'dropped', + ]; + $rrd_list[] = [ + 'filename' => $rrd_filename, + 'descr' => 'If Dropped', + 'ds' => 'ifdropped', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/graphs/application/suricata_uptime.inc.php b/includes/html/graphs/application/suricata_uptime.inc.php new file mode 100644 index 000000000000..35cdf573c5be --- /dev/null +++ b/includes/html/graphs/application/suricata_uptime.inc.php @@ -0,0 +1,29 @@ + $rrd_filename, + 'descr' => 'Uptime', + 'ds' => 'uptime', + ]; +} else { + d_echo('RRD "' . $rrd_filename . '" not found'); +} + +require 'includes/html/graphs/generic_multi_line.inc.php'; diff --git a/includes/html/pages/apps.inc.php b/includes/html/pages/apps.inc.php index 66362b6344db..961e67564044 100644 --- a/includes/html/pages/apps.inc.php +++ b/includes/html/pages/apps.inc.php @@ -309,6 +309,18 @@ 'proxy_acct', 'queue', ]; +$graphs['suricata'] = [ + 'alert', + 'packets', + 'nasty_delta', + 'nasty_percent', + 'dec_proto', + 'flow_proto', + 'app_flows', + 'app_tx', + 'bytes', + 'mem_use', +]; $graphs['zfs'] = [ 'arc_misc', 'arc_size', diff --git a/includes/html/pages/device/apps/suricata.inc.php b/includes/html/pages/device/apps/suricata.inc.php new file mode 100644 index 000000000000..5f121d0f6c17 --- /dev/null +++ b/includes/html/pages/device/apps/suricata.inc.php @@ -0,0 +1,73 @@ + 'device', + 'device' => $device['device_id'], + 'tab' => 'apps', + 'app' => 'suricata', +]; + +print_optionbar_start(); + +echo generate_link('Totals', $link_array); +echo '| Instances:'; +$int_int = 0; +while (isset($suricata_instances[$int_int])) { + $instance = $suricata_instances[$int_int]; + $label = $instance; + + if ($vars['instance'] == $instance) { + $label = '' . $instance . ''; + } + + $int_int++; + + $append = ''; + if (isset($pools[$int_int])) { + $append = ', '; + } + + echo generate_link($label, $link_array, ['pool'=>$pool]) . $append; +} + +print_optionbar_end(); + +$graphs = [ + 'suricata_packets'=>'Packets', + 'suricata_bytes'=>'Bytes', + 'suricata_nasty_delta'=>'Drops or Errors Delta', + 'suricata_nasty_percent'=>'Drops or Errors Percent', + 'suricata_dec_proto'=>'Decoder Protocols', + 'suricata_flow_proto'=>'Flow Protocols', + 'suricata_app_flows'=>'App Layer Flows', + 'suricata_app_tx'=>'App Layer TX', + 'suricata_mem_use'=>'Memory Usage', + 'suricata_uptime'=>'Uptime', + 'suricata_alert'=>'Alert Status', +]; + +foreach ($graphs as $key => $text) { + $graph_type = $key; + $graph_array['height'] = '100'; + $graph_array['width'] = '215'; + $graph_array['to'] = \LibreNMS\Config::get('time.now'); + $graph_array['id'] = $app['app_id']; + $graph_array['type'] = 'application_' . $key; + + if (isset($vars['instance'])) { + $graph_array['instance'] = $vars['instance']; + } + + echo '
+
+

' . $text . '

+
+
+
'; + include 'includes/html/print-graphrow.inc.php'; + echo '
'; + echo '
'; + echo '
'; +} diff --git a/includes/polling/applications/suricata.inc.php b/includes/polling/applications/suricata.inc.php new file mode 100644 index 000000000000..6ddc27d3dd91 --- /dev/null +++ b/includes/polling/applications/suricata.inc.php @@ -0,0 +1,219 @@ +getCode() . ':' . $e->getMessage() . PHP_EOL; + update_application($app, $e->getCode() . ':' . $e->getMessage(), []); // Set empty metrics and error message + + return; +} + +// grab the alert here as it is the global one +$metrics = ['alert'=>$suricata['alert']]; + +$rrd_def = RrdDefinition::make() + ->addDataset('af_dcerpc_tcp', 'DERIVE', 0) + ->addDataset('af_dcerpc_udp', 'DERIVE', 0) + ->addDataset('af_dhcp', 'DERIVE', 0) + ->addDataset('af_dns_tcp', 'DERIVE', 0) + ->addDataset('af_dns_udp', 'DERIVE', 0) + ->addDataset('af_failed_tcp', 'DERIVE', 0) + ->addDataset('af_failed_udp', 'DERIVE', 0) + ->addDataset('af_ftp', 'DERIVE', 0) + ->addDataset('af_ftp_data', 'DERIVE', 0) + ->addDataset('af_http', 'DERIVE', 0) + ->addDataset('af_ikev2', 'DERIVE', 0) + ->addDataset('af_imap', 'DERIVE', 0) + ->addDataset('af_krb5_tcp', 'DERIVE', 0) + ->addDataset('af_krb5_udp', 'DERIVE', 0) + ->addDataset('af_mqtt', 'DERIVE', 0) + ->addDataset('af_nfs_tcp', 'DERIVE', 0) + ->addDataset('af_nfs_udp', 'DERIVE', 0) + ->addDataset('af_ntp', 'DERIVE', 0) + ->addDataset('af_rdp', 'DERIVE', 0) + ->addDataset('af_rfb', 'DERIVE', 0) + ->addDataset('af_sip', 'DERIVE', 0) + ->addDataset('af_smb', 'DERIVE', 0) + ->addDataset('af_smtp', 'DERIVE', 0) + ->addDataset('af_snmp', 'DERIVE', 0) + ->addDataset('af_ssh', 'DERIVE', 0) + ->addDataset('af_tftp', 'DERIVE', 0) + ->addDataset('af_tls', 'DERIVE', 0) + ->addDataset('alert', 'GAUGE', 0) + ->addDataset('at_dcerpc_tcp', 'DERIVE', 0) + ->addDataset('at_dcerpc_udp', 'DERIVE', 0) + ->addDataset('at_dhcp', 'DERIVE', 0) + ->addDataset('at_dns_tcp', 'DERIVE', 0) + ->addDataset('at_dns_udp', 'DERIVE', 0) + ->addDataset('at_ftp', 'DERIVE', 0) + ->addDataset('at_ftp_data', 'DERIVE', 0) + ->addDataset('at_http', 'DERIVE', 0) + ->addDataset('at_ikev2', 'DERIVE', 0) + ->addDataset('at_imap', 'DERIVE', 0) + ->addDataset('at_krb5_tcp', 'DERIVE', 0) + ->addDataset('at_krb5_udp', 'DERIVE', 0) + ->addDataset('at_mqtt', 'DERIVE', 0) + ->addDataset('at_nfs_tcp', 'DERIVE', 0) + ->addDataset('at_nfs_udp', 'DERIVE', 0) + ->addDataset('at_ntp', 'DERIVE', 0) + ->addDataset('at_rdp', 'DERIVE', 0) + ->addDataset('at_rfb', 'DERIVE', 0) + ->addDataset('at_sip', 'DERIVE', 0) + ->addDataset('at_smb', 'DERIVE', 0) + ->addDataset('at_smtp', 'DERIVE', 0) + ->addDataset('at_snmp', 'DERIVE', 0) + ->addDataset('at_ssh', 'DERIVE', 0) + ->addDataset('at_tftp', 'DERIVE', 0) + ->addDataset('at_tls', 'DERIVE', 0) + ->addDataset('bytes', 'DERIVE', 0) + ->addDataset('dec_avg_pkt_size', 'DERIVE', 0) + ->addDataset('dec_chdlc', 'DERIVE', 0) + ->addDataset('dec_ethernet', 'DERIVE', 0) + ->addDataset('dec_geneve', 'DERIVE', 0) + ->addDataset('dec_ieee8021ah', 'DERIVE', 0) + ->addDataset('dec_invalid', 'DERIVE', 0) + ->addDataset('dec_ipv4', 'DERIVE', 0) + ->addDataset('dec_ipv4_in_ipv6', 'DERIVE', 0) + ->addDataset('dec_ipv6', 'DERIVE', 0) + ->addDataset('dec_max_pkt_size', 'DERIVE', 0) + ->addDataset('dec_mpls', 'DERIVE', 0) + ->addDataset('dec_mx_mac_addrs_d', 'DERIVE', 0) + ->addDataset('dec_mx_mac_addrs_s', 'DERIVE', 0) + ->addDataset('dec_packets', 'DERIVE', 0) + ->addDataset('dec_ppp', 'DERIVE', 0) + ->addDataset('dec_pppoe', 'DERIVE', 0) + ->addDataset('dec_raw', 'DERIVE', 0) + ->addDataset('dec_sctp', 'DERIVE', 0) + ->addDataset('dec_sll', 'DERIVE', 0) + ->addDataset('dec_tcp', 'DERIVE', 0) + ->addDataset('dec_teredo', 'DERIVE', 0) + ->addDataset('dec_too_many_layer', 'DERIVE', 0) + ->addDataset('dec_udp', 'DERIVE', 0) + ->addDataset('dec_vlan', 'DERIVE', 0) + ->addDataset('dec_vlan_qinq', 'DERIVE', 0) + ->addDataset('dec_vntag', 'DERIVE', 0) + ->addDataset('dec_vxlan', 'DERIVE', 0) + ->addDataset('drop_percent', 'GAUGE', 0) + ->addDataset('dropped', 'DERIVE', 0) + ->addDataset('error_percent', 'GAUGE', 0) + ->addDataset('errors', 'DERIVE', 0) + ->addDataset('f_icmpv4', 'DERIVE', 0) + ->addDataset('f_icmpv6', 'DERIVE', 0) + ->addDataset('f_memuse', 'GAUGE', 0) + ->addDataset('f_tcp', 'DERIVE', 0) + ->addDataset('f_udp', 'DERIVE', 0) + ->addDataset('ftp_memuse', 'GAUGE', 0) + ->addDataset('http_memuse', 'GAUGE', 0) + ->addDataset('ifdrop_percent', 'GAUGE', 0) + ->addDataset('ifdropped', 'DERIVE', 0) + ->addDataset('packets', 'DERIVE', 0) + ->addDataset('tcp_memuse', 'GAUGE', 0) + ->addDataset('tcp_reass_memuse', 'GAUGE', 0) + ->addDataset('uptime', 'GAUGE', 0); + +// keys that need to by migrated from the instance to the +$instance_keys = [ + 'af_dcerpc_tcp', 'af_dcerpc_udp', 'af_dhcp', 'af_dns_tcp', 'af_dns_udp', 'af_failed_tcp', 'af_failed_udp', 'af_ftp', + 'af_ftp_data', 'af_http', 'af_ikev2', 'af_imap', 'af_krb5_tcp', 'af_krb5_udp', 'af_mqtt', 'af_nfs_tcp', 'af_nfs_udp', + 'af_ntp', 'af_rdp', 'af_rfb', 'af_sip', 'af_smb', 'af_smtp', 'af_snmp', 'af_ssh', 'af_tftp', 'af_tls', 'alert', + 'at_dcerpc_tcp', 'at_dcerpc_udp', 'at_dhcp', 'at_dns_tcp', 'at_dns_udp', 'at_ftp', 'at_ftp_data', 'at_http', 'at_ikev2', + 'at_imap', 'at_krb5_tcp', 'at_krb5_udp', 'at_mqtt', 'at_nfs_tcp', 'at_nfs_udp', 'at_ntp', 'at_rdp', 'at_rfb', 'at_sip', + 'at_smb', 'at_smtp', 'at_snmp', 'at_ssh', 'at_tftp', 'at_tls', 'bytes', 'dec_avg_pkt_size', 'dec_chdlc', 'dec_ethernet', + 'dec_geneve', 'dec_ieee8021ah', 'dec_invalid', 'dec_ipv4', 'dec_ipv4_in_ipv6', 'dec_ipv6', 'dec_max_pkt_size', 'dec_mpls', + 'dec_mx_mac_addrs_d', 'dec_mx_mac_addrs_s', 'dec_packets', 'dec_ppp', 'dec_pppoe', 'dec_raw', 'dec_sctp', 'dec_sll', + 'dec_tcp', 'dec_teredo', 'dec_too_many_layer', 'dec_udp', 'dec_vlan', 'dec_vlan_qinq', 'dec_vntag', 'dec_vxlan', + 'drop_delta', 'drop_percent', 'dropped', 'error_delta', 'error_percent', 'errors', 'f_icmpv4', 'f_icmpv6', 'f_memuse', + 'f_tcp', 'f_udp', 'ftp_memuse', 'http_memuse', 'ifdrop_delta', 'ifdrop_percent', 'ifdropped', 'packet_delta', 'packets', + 'tcp_memuse', 'tcp_reass_memuse', 'uptime', +]; + +// keys to add to the RRD field +$field_keys = [ + 'af_dcerpc_tcp', 'af_dcerpc_udp', 'af_dhcp', 'af_dns_tcp', 'af_dns_udp', 'af_failed_tcp', 'af_failed_udp', 'af_ftp', + 'af_ftp_data', 'af_http', 'af_ikev2', 'af_imap', 'af_krb5_tcp', 'af_krb5_udp', 'af_mqtt', 'af_nfs_tcp', 'af_nfs_udp', + 'af_ntp', 'af_rdp', 'af_rfb', 'af_sip', 'af_smb', 'af_smtp', 'af_snmp', 'af_ssh', 'af_tftp', 'af_tls', 'alert', + 'at_dcerpc_tcp', 'at_dcerpc_udp', 'at_dhcp', 'at_dns_tcp', 'at_dns_udp', 'at_ftp', 'at_ftp_data', 'at_http', 'at_ikev2', + 'at_imap', 'at_krb5_tcp', 'at_krb5_udp', 'at_mqtt', 'at_nfs_tcp', 'at_nfs_udp', 'at_ntp', 'at_rdp', 'at_rfb', 'at_sip', + 'at_smb', 'at_smtp', 'at_snmp', 'at_ssh', 'at_tftp', 'at_tls', 'bytes', 'dec_avg_pkt_size', 'dec_chdlc', 'dec_ethernet', + 'dec_geneve', 'dec_ieee8021ah', 'dec_invalid', 'dec_ipv4', 'dec_ipv4_in_ipv6', 'dec_ipv6', 'dec_max_pkt_size', 'dec_mpls', + 'dec_mx_mac_addrs_d', 'dec_mx_mac_addrs_s', 'dec_packets', 'dec_ppp', 'dec_pppoe', 'dec_raw', 'dec_sctp', 'dec_sll', + 'dec_tcp', 'dec_teredo', 'dec_too_many_layer', 'dec_udp', 'dec_vlan', 'dec_vlan_qinq', 'dec_vntag', 'dec_vxlan', + 'drop_percent', 'dropped', 'error_percent', 'errors', 'f_icmpv4', 'f_icmpv6', 'f_memuse', + 'f_tcp', 'f_udp', 'ftp_memuse', 'http_memuse', 'ifdrop_percent', 'ifdropped', 'packets', + 'tcp_memuse', 'tcp_reass_memuse', 'uptime', +]; + +// process each instance +$instance_list = []; +foreach ($suricata['data'] as $instance => $stats) { + if ($instance == '.total') { + $rrd_name = ['app', $name, $app_id]; + } else { + $rrd_name = ['app', $name, $app_id, $instance]; + $instance_list[] = $instance; + } + + foreach ($instance_keys as $metric_key) { + $metrics[$instance . '_' . $metric_key] = $stats[$metric_key]; + } + + $fields = []; + foreach ($field_keys as $field_key) { + $fields[$field_key] = $stats[$field_key]; + } + + $tags = ['name' => $name, 'app_id' => $app_id, 'rrd_def' => $rrd_def, 'rrd_name' => $rrd_name]; + data_update($device, 'app', $tags, $fields); +} + +// +// component processing for ZFS +// +$device_id = $device['device_id']; +$options = [ + 'filter' => [ + 'device_id' => ['=', $device_id], + 'type' => ['=', 'suricata'], + ], +]; + +$component = new LibreNMS\Component(); +$components = $component->getComponents($device_id, $options); + +// if no instances, delete the components +if (empty($instance_list)) { + if (isset($components[$device_id])) { + foreach ($components[$device_id] as $component_id => $_unused) { + $component->deleteComponent($component_id); + } + } +} else { + if (isset($components[$device_id])) { + $ourc = $components[$device_id]; + } else { + $ourc = $component->createComponent($device_id, 'suricata'); + } + + // Make sure we don't readd it, just in a different order. + sort($instance_list); + + $id = $component->getFirstComponentID($ourc); + $ourc[$id]['label'] = 'Suricata'; + $ourc[$id]['instances'] = json_encode($instance_list); + $ourc[$id]['alert'] = $suricata['alert']; + $ourc[$id]['alertString'] = $suricata['alertString']; + + $component->setComponentPrefs($device_id, $ourc); +} + +// +// all done so update the app metrics +// +update_application($app, 'OK', $metrics); diff --git a/misc/alert_rules.json b/misc/alert_rules.json index 6d6931771214..e0c19dc35b7e 100644 --- a/misc/alert_rules.json +++ b/misc/alert_rules.json @@ -482,5 +482,50 @@ { "builder": {"condition":"AND","rules":[{"id":"ports.ifSpeed","field":"ports.ifSpeed","type":"string","input":"text","operator":"greater","value":"0"},{"id":"ports.ifSpeed","field":"ports.ifSpeed","type":"string","input":"text","operator":"less","value":"`ports.ifSpeed_prev`"},{"id":"eventlog.message","field":"eventlog.message","type":"string","input":"text","operator":"begins_with","value":"ifSpeed:"},{"id":"eventlog.datetime","field":"eventlog.datetime","type":"datetime","input":"text","operator":"greater_or_equal","value":"`macros.past_10m`"},{"id":"ports.port_id","field":"ports.port_id","type":"string","input":"text","operator":"equal","value":"`eventlog.reference`"},{"id":"ports.ifOperStatus","field":"ports.ifOperStatus","type":"string","input":"text","operator":"equal","value":"up"},{"id":"ports.disabled","field":"ports.disabled","type":"string","input":"text","operator":"equal","value":"0"}],"valid":true}, "name": "Port Speed Degraded" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"1\"", + "name": "Suricata has a WARNING alert", + "severity": "warning" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"2\"", + "name": "Suricata has a CRITICAL alert", + "severity": "critical" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \"alert\" && application_metrics.value = \"3\"", + "name": "Suricata has a UNKNOWN alert", + "severity": "critical" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"1\"", + "name": "Suricata Packet Drop > 1%", + "severity": "warning" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_drop_percent\" && application_metrics.value >= \"2\"", + "name": "Suricata Packet Drop > 2%", + "severity": "critical" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_ifdrop_percent\" && application_metrics.value >= \"1\"", + "name": "Suricata Packet If Drop > 1%", + "severity": "warning" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_ifdrop_percent\" && application_metrics.value >= \"2\"", + "name": "Suricata Packet If Drop > 2%", + "severity": "critical" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_error_delta\" && application_metrics.value >= \"1\"", + "name": "Suricata Packet Error >= 1%", + "severity": "warning" + }, + { + "rule": "applications.app_type = \"suricata\" && application_metrics.metric = \".total_error_delta\" && application_metrics.value >= \"2\"", + "name": "Suricata Packet Error >= 2%", + "severity": "critical" } ] diff --git a/tests/data/linux_suricata-v1.json b/tests/data/linux_suricata-v1.json new file mode 100644 index 000000000000..4571e0fa00ec --- /dev/null +++ b/tests/data/linux_suricata-v1.json @@ -0,0 +1,1260 @@ +{ + "applications": { + "discovery": { + "applications": [ + { + "app_type": "suricata", + "app_state": "UNKNOWN", + "discovered": 1, + "app_state_prev": null, + "app_status": "", + "app_instance": "" + } + ] + }, + "poller": { + "applications": [ + { + "app_type": "suricata", + "app_state": "OK", + "discovered": 1, + "app_state_prev": "UNKNOWN", + "app_status": "", + "app_instance": "" + } + ], + "application_metrics": [ + { + "metric": ".total_af_dcerpc_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_dcerpc_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_dhcp", + "value": 52, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_dns_tcp", + "value": 1901, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_dns_udp", + "value": 556315, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_failed_tcp", + "value": 4260, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_failed_udp", + "value": 8121, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_ftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_ftp_data", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_http", + "value": 30855, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_ikev2", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_imap", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_krb5_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_krb5_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_mqtt", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_nfs_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_nfs_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_ntp", + "value": 1682, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_rdp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_rfb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_sip", + "value": 1, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_smb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_smtp", + "value": 1408, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_snmp", + "value": 14203, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_ssh", + "value": 37, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_tftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_af_tls", + "value": 126907, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_alert", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_dcerpc_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_dcerpc_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_dhcp", + "value": 2571, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_dns_tcp", + "value": 3806, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_dns_udp", + "value": 1207694, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_ftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_ftp_data", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_http", + "value": 31784, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_ikev2", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_imap", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_krb5_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_krb5_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_mqtt", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_nfs_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_nfs_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_ntp", + "value": 2409, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_rdp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_rfb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_sip", + "value": 4137, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_smb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_smtp", + "value": 2108, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_snmp", + "value": 433976, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_ssh", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_tftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_at_tls", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_bytes", + "value": 7587094274, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_avg_pkt_size", + "value": 513, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_chdlc", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ethernet", + "value": 14772989, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_geneve", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ieee8021ah", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_invalid", + "value": 4, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ipv4", + "value": 14616928, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ipv4_in_ipv6", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ipv6", + "value": 428, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_max_pkt_size", + "value": 1514, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_mpls", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_mx_mac_addrs_d", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_mx_mac_addrs_s", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_packets", + "value": 14772989, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_ppp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_pppoe", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_raw", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_sctp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_sll", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_tcp", + "value": 9921619, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_teredo", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_too_many_layer", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_udp", + "value": 4120492, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_vlan", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_vlan_qinq", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_vntag", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dec_vxlan", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_drop_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_drop_percent", + "value": "0.00000", + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_dropped", + "value": 12750, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_error_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_error_percent", + "value": "0.00000", + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_errors", + "value": 1, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_f_icmpv4", + "value": 3667, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_f_icmpv6", + "value": 371, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_f_memuse", + "value": 8567872, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_f_tcp", + "value": 287482, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_f_udp", + "value": 580374, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_ftp_memuse", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_http_memuse", + "value": 155770, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_ifdrop_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_ifdrop_percent", + "value": "0.00000", + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_ifdropped", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_packet_delta", + "value": 55223, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_packets", + "value": 14785697, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_tcp_memuse", + "value": 2425072, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_tcp_reass_memuse", + "value": 16676636, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": ".total_uptime", + "value": 104890, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "alert", + "value": 0.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_dcerpc_tcp", + "value": 0.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_dcerpc_udp", + "value": 0.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_dhcp", + "value": 52.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_dns_tcp", + "value": 1901.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_dns_udp", + "value": 556315.0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_failed_tcp", + "value": 4260, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_failed_udp", + "value": 8121, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_ftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_ftp_data", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_http", + "value": 30855, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_ikev2", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_imap", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_krb5_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_krb5_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_mqtt", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_nfs_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_nfs_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_ntp", + "value": 1682, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_rdp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_rfb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_sip", + "value": 1, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_smb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_smtp", + "value": 1408, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_snmp", + "value": 14203, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_ssh", + "value": 37, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_tftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_af_tls", + "value": 126907, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_alert", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_dcerpc_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_dcerpc_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_dhcp", + "value": 2571, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_dns_tcp", + "value": 3806, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_dns_udp", + "value": 1207694, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_ftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_ftp_data", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_http", + "value": 31784, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_ikev2", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_imap", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_krb5_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_krb5_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_mqtt", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_nfs_tcp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_nfs_udp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_ntp", + "value": 2409, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_rdp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_rfb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_sip", + "value": 4137, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_smb", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_smtp", + "value": 2108, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_snmp", + "value": 433976, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_ssh", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_tftp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_at_tls", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_bytes", + "value": 7587094274, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_avg_pkt_size", + "value": 513, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_chdlc", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ethernet", + "value": 14772989, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_geneve", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ieee8021ah", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_invalid", + "value": 4, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ipv4", + "value": 14616928, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ipv4_in_ipv6", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ipv6", + "value": 428, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_max_pkt_size", + "value": 1514, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_mpls", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_mx_mac_addrs_d", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_mx_mac_addrs_s", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_packets", + "value": 14772989, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_ppp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_pppoe", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_raw", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_sctp", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_sll", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_tcp", + "value": 9921619, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_teredo", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_too_many_layer", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_udp", + "value": 4120492, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_vlan", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_vlan_qinq", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_vntag", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dec_vxlan", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_drop_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_drop_percent", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_dropped", + "value": 12750, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_error_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_error_percent", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_errors", + "value": 1, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_f_icmpv4", + "value": 3667, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_f_icmpv6", + "value": 371, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_f_memuse", + "value": 8567872, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_f_tcp", + "value": 287482, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_f_udp", + "value": 580374, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_ftp_memuse", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_http_memuse", + "value": 155770, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_ifdrop_delta", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_ifdrop_percent", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_ifdropped", + "value": 0, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_packet_delta", + "value": 55223, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_packets", + "value": 14785697, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_tcp_memuse", + "value": 2425072, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_tcp_reass_memuse", + "value": 16676636, + "value_prev": null, + "app_type": "suricata" + }, + { + "metric": "ids_uptime", + "value": 104890, + "value_prev": null, + "app_type": "suricata" + } + ] + } + } +} diff --git a/tests/snmpsim/linux_suricata-v1.snmprec b/tests/snmpsim/linux_suricata-v1.snmprec new file mode 100644 index 000000000000..8f90fc0c4320 --- /dev/null +++ b/tests/snmpsim/linux_suricata-v1.snmprec @@ -0,0 +1,10 @@ +1.3.6.1.2.1.1.1.0|4|Linux server 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 +1.3.6.1.2.1.1.2.0|6|1.3.6.1.4.1.8072.3.2.10 +1.3.6.1.2.1.1.3.0|67|77550514 +1.3.6.1.2.1.1.4.0|4| +1.3.6.1.2.1.1.5.0|4| +1.3.6.1.2.1.1.6.0|4| +1.3.6.1.2.1.25.1.1.0|67|77552962 +1.3.6.1.4.1.8072.1.3.2.2.1.21.6.100.105.115.116.114.111|2|1 +1.3.6.1.4.1.8072.1.3.2.2.1.21.14.115.117.114.105.99.97.116.97.45.115.116.97.116.115|2|1 +1.3.6.1.4.1.8072.1.3.2.3.1.2.14.115.117.114.105.99.97.116.97.45.115.116.97.116.115|4x|7b22616c657274537472696e67223a22222c226572726f72223a2230222c2264617461223a7b22696473223a7b226465635f736c6c223a302c2261745f746c73223a302c2261745f736d62223a302c226465635f6d61785f706b745f73697a65223a313531342c226465635f6368646c63223a302c2264726f70706564223a31323735302c226465635f74657265646f223a302c22616c657274223a302c227463705f6d656d757365223a323432353037322c2261745f736e6d70223a3433333937362c22696664726f705f64656c7461223a302c2261745f646e735f756470223a313230373639342c227061636b657473223a31343738353639372c2261745f696b657632223a302c2261665f736970223a312c2261745f6b7262355f756470223a302c226674705f6d656d757365223a302c2261745f667470223a302c2261745f6463657270635f756470223a302c226465635f76786c616e223a302c2261665f6b7262355f746370223a302c22665f6d656d757365223a383536373837322c2261665f6e66735f746370223a302c226465635f696e76616c6964223a342c2261745f6674705f64617461223a302c2261665f726662223a302c226465635f69656565383032316168223a302c2261665f696d6170223a302c226465635f7061636b657473223a31343737323938392c2261745f6e66735f756470223a302c2261665f6e7470223a313638322c22696664726f705f70657263656e74223a302c2261745f68747470223a33313738342c2261745f74667470223a302c2261745f6463657270635f746370223a302c226465635f69707634223a31343631363932382c2261665f737368223a33372c22616c657274537472696e67223a22222c22665f69636d707636223a3337312c2261745f6d717474223a302c22696664726f70706564223a302c2261745f736d7470223a323130382c22665f756470223a3538303337342c226572726f7273223a312c2261665f64686370223a35322c226279746573223a373538373039343237342c2261665f726470223a302c226465635f6d785f6d61635f61646472735f73223a302c226465635f746f6f5f6d616e795f6c61796572223a302c2261665f646e735f746370223a313930312c2264726f705f70657263656e74223a302c2261745f6e66735f746370223a302c227463705f72656173735f6d656d757365223a31363637363633362c22665f69636d707634223a333636372c226465635f6d706c73223a302c226465635f69707636223a3432382c2261665f667470223a302c226572726f725f64656c7461223a302c2261665f6b7262355f756470223a302c2261745f736970223a343133372c2261745f6b7262355f746370223a302c22687474705f6d656d757365223a3135353737302c2264726f705f64656c7461223a302c2261665f6463657270635f756470223a302c226465635f756470223a343132303439322c226465635f697076345f696e5f69707636223a302c2261665f736e6d70223a31343230332c2261665f6661696c65645f756470223a383132312c2261665f696b657632223a302c2261665f646e735f756470223a3535363331352c226465635f6d785f6d61635f61646472735f64223a302c2261665f736d62223a302c226465635f766c616e5f71696e71223a302c226465635f6176675f706b745f73697a65223a3531332c2261665f746c73223a3132363930372c226465635f67656e657665223a302c226465635f707070223a302c226465635f726177223a302c226465635f746370223a393932313631392c2261665f736d7470223a313430382c22757074696d65223a3130343839302c2261745f646e735f746370223a333830362c2261745f726470223a302c2261745f64686370223a323537312c2261745f737368223a302c2261665f74667470223a302c2261665f6463657270635f746370223a302c227061636b65745f64656c7461223a35353232332c2261665f6d717474223a302c226465635f766c616e223a302c2261665f6e66735f756470223a302c22665f746370223a3238373438322c226465635f7070706f65223a302c2261665f68747470223a33303835352c2261745f6e7470223a323430392c2261665f6661696c65645f746370223a343236302c226465635f73637470223a302c226572726f725f70657263656e74223a302c2261745f696d6170223a302c2261665f6674705f64617461223a302c2261745f726662223a302c226465635f65746865726e6574223a31343737323938392c226465635f766e746167223a307d2c222e746f74616c223a7b227463705f72656173735f6d656d757365223a31363637363633362c2261745f6e66735f746370223a302c2264726f705f70657263656e74223a22302e3030303030222c226465635f6d706c73223a302c22665f69636d707634223a333636372c226465635f69707636223a3432382c2261665f667470223a302c2261745f736970223a343133372c2261665f6b7262355f756470223a302c226572726f725f64656c7461223a302c22687474705f6d656d757365223a3135353737302c2264726f705f64656c7461223a302c2261745f6b7262355f746370223a302c226465635f697076345f696e5f69707636223a302c226465635f756470223a343132303439322c2261665f6463657270635f756470223a302c2261665f736e6d70223a31343230332c2261665f6661696c65645f756470223a383132312c2261665f646e735f756470223a3535363331352c2261665f696b657632223a302c226465635f766c616e5f71696e71223a302c2261665f736d62223a302c226465635f6d785f6d61635f61646472735f64223a302c226465635f6176675f706b745f73697a65223a3531332c2261665f746c73223a3132363930372c226465635f707070223a302c226465635f67656e657665223a302c226465635f726177223a302c226465635f746370223a393932313631392c22757074696d65223a3130343839302c2261665f736d7470223a313430382c2261745f726470223a302c2261745f646e735f746370223a333830362c2261745f64686370223a323537312c2261745f737368223a302c227061636b65745f64656c7461223a35353232332c2261665f6463657270635f746370223a302c2261665f74667470223a302c2261665f6d717474223a302c226465635f766c616e223a302c226465635f7070706f65223a302c22665f746370223a3238373438322c2261665f6e66735f756470223a302c2261745f6e7470223a323430392c2261665f68747470223a33303835352c226572726f725f70657263656e74223a22302e3030303030222c226465635f73637470223a302c2261665f6661696c65645f746370223a343236302c2261745f696d6170223a302c226465635f65746865726e6574223a31343737323938392c2261745f726662223a302c2261665f6674705f64617461223a302c226465635f766e746167223a302c2261745f746c73223a302c226465635f736c6c223a302c226465635f6368646c63223a302c226465635f6d61785f706b745f73697a65223a313531342c2261745f736d62223a302c2264726f70706564223a31323735302c22616c657274223a302c226465635f74657265646f223a302c227463705f6d656d757365223a323432353037322c22696664726f705f64656c7461223a302c2261745f736e6d70223a3433333937362c2261745f696b657632223a302c227061636b657473223a31343738353639372c2261745f646e735f756470223a313230373639342c2261745f6b7262355f756470223a302c2261665f736970223a312c2261745f667470223a302c226674705f6d656d757365223a302c2261745f6463657270635f756470223a302c226465635f76786c616e223a302c2261665f6b7262355f746370223a302c22665f6d656d757365223a383536373837322c2261665f6e66735f746370223a302c226465635f696e76616c6964223a342c226465635f69656565383032316168223a302c2261665f726662223a302c2261745f6674705f64617461223a302c2261665f696d6170223a302c226465635f7061636b657473223a31343737323938392c2261745f6e66735f756470223a302c22696664726f705f70657263656e74223a22302e3030303030222c2261745f68747470223a33313738342c2261665f6e7470223a313638322c226465635f69707634223a31343631363932382c2261745f6463657270635f746370223a302c2261745f74667470223a302c2261665f737368223a33372c22665f69636d707636223a3337312c2261745f6d717474223a302c22696664726f70706564223a302c2261745f736d7470223a323130382c226572726f7273223a312c22665f756470223a3538303337342c2261665f64686370223a35322c2261665f646e735f746370223a313930312c226465635f746f6f5f6d616e795f6c61796572223a302c226465635f6d785f6d61635f61646472735f73223a302c2261665f726470223a302c226279746573223a373538373039343237347d7d2c2276657273696f6e223a312c226572726f72537472696e67223a22222c22616c657274223a307d0a