Skip to content

Commit

Permalink
Updates to use _desc fields
Browse files Browse the repository at this point in the history
  • Loading branch information
@ctx-ioannist
ctx-ioannist committed Sep 23, 2022
1 parent 91f452c commit a3df190
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 29 deletions.
2 changes: 1 addition & 1 deletion citrix_cim_normalizer/default/app.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ is_configured = 0
author = Citrix ADM Service Team
description = An application to make ADM Service data CIM Compatible.\
The data can be displayed properly by Applications consuming CIM Compatible data.
version = 1.2.0
version = 1.5.0

[ui]
is_visible = 0
Expand Down
59 changes: 35 additions & 24 deletions citrix_cim_normalizer/default/props.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@
category = Custom BOT
description = Source Type for BOT Events
pulldown_type = 1
FIELDALIAS-src_dummy = ip_address as src
EVAL-client_ip = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-src = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-user = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
FIELDALIAS-dest_dummy = domain_name as dest
FIELDALIAS-user_dummy = ip_address as user
FIELDALIAS-ids_type_dummy = bot_detection_mechanism_desc as ids_type
FIELDALIAS-signature_dummy = bot_category_desc as signature
FIELDALIAS-signature_dummy = bot_signature_category as signature
FIELDALIAS-severity_id_dummy = bot_severity_desc as severity_id
EVAL-category = "Bot attack"
EVAL-dvc = "ADC" . "-" . vserver_name . "-" . profile_name
Expand All @@ -17,7 +18,7 @@ LOOKUP-action_type_dummy = action_type action_type_desc OUTPUTNEW action
# Additional field normalizations for the Alert CIM Mapping
FIELDALIAS-app_dummy = bot_detection_mechanism_desc as app
EVAL-type = "BOT Attack"
FIELDALIAS-signature_id_dummy = bot_category_desc as signature_id
FIELDALIAS-signature_id_dummy = bot_signature_category as signature_id
# Non existing intrusion detection fields
EVAL-file_name = "Not available"
EVAL-file_path = "Not available"
Expand All @@ -33,38 +34,46 @@ EVAL-id = "Not applicable"
EVAL-vendor_account = "Not available"
EVAL-vendor_region = "Not available"
EVAL-mitre_technique_id = "T1583.005"
FIELDALIAS-src_type_dummy = violation_category as src_type
FIELDALIAS-dest_type_dummy = violation_category as dest_type
FIELDALIAS-user_name_dummy = ip_address as user_name
FIELDALIAS-src_type_dummy = bot_detection_mechanism_desc as src_type
FIELDALIAS-dest_type = "BOT Security Endpoint"
FIELDALIAS-user_name_dummy = client_ip as user_name
# To support searches for Dashboard panels
LOOKUP-bot_severity_custom = bot_severity_custom bot_severity_desc OUTPUT severity_level
FIELDALIAS-ip_address_dummy = ip_address as ip_address
FIELDALIAS-application_name_dummy = vserver_name as application_name
FIELDALIAS-application_name_dummy = appname as application_name
EVAL-event_category = "Bot"
FIELDALIAS-violation_detection_mechanism_dummy = bot_detection_mechanism_desc as violation_detection_mechanism
FIELDALIAS-attack_category_indicator_dummy = bot_category_desc as attack_category_indicator
EVAL-attack_category_indicator = bot_detection_mechanism_desc . "-" . bot_signature_category
EVAL-client_ip_address = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-ip_address = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))

[waf]
KV_MODE=json
category = Custom WAF
description = Source Type for WAF Events
pulldown_type = 1
FIELDALIAS-src_dummy = ip_address as src
FIELDALIAS-user_dummy = ip_address as user
FIELDALIAS-ids_type_dummy = violation_type as ids_type
FIELDALIAS-signature_dummy = violation_category as signature
# ip_address does not exist / source_ip_address exists which is the integer value of the IP
EVAL-client_ip = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-src = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-user = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
# violation_type -> violation_type_desc
FIELDALIAS-ids_type_dummy = violation_type_desc as ids_type
# violation_category -> violation_category_desc
FIELDALIAS-signature_dummy = violation_category_desc as signature
# severity_type or severity hold the numeric value
FIELDALIAS-severity_id_dummy = severity_type as severity_id
EVAL-category = "WAF attack"
EVAL-dvc = "ADC" . "-" . vserver_name . "-" . profile_name
EVAL-vendor_product = "Citrix"
# We delete severity field which exists as a json field in the original message since CIM message has the same name
EVAL-severity = null
EXTRACT-dest = ^(?<dummy1>https?:\/\/)?(?<dummy2>[^@\/\n]+@)?(?<dummy3>www\.)?(?<dest>[^:\/\n]+) in http_req_url
LOOKUP-severity_dummy = waf_severity severity_type OUTPUTNEW severity
LOOKUP-action_dummy = violation_action_type violation_action OUTPUTNEW action
# severity_type -> severity_type_desc
LOOKUP-severity_dummy = waf_severity severity_type_desc OUTPUTNEW severity
# violation_action -> violation_action_desc
LOOKUP-action_dummy = violation_action_type violation_action_desc OUTPUTNEW action
# Additional field normalizations for the Alert CIM Mapping
FIELDALIAS-app_dummy = violation_type as app
# violation_type -> violation_type_desc
FIELDALIAS-app_dummy = violation_type_desc as app
EVAL-type = "WAF Attack"
FIELDALIAS-signature_id_dummy = violation_category as signature_id
# Non existing intrusion detection fields
Expand All @@ -79,19 +88,21 @@ EVAL-body = "Deprecated"
EVAL-subject = "Deprecated"
EVAL-description = "BOT Alert"
EVAL-id = "Not applicable"
FIELDALIAS-src_type_dummy = violation_category as src_type
FIELDALIAS-dest_type_dummy = violation_category as dest_type
FIELDALIAS-user_name_dummy = ip_address as user_name
# violation_category
FIELDALIAS-src_type_dummy = violation_category_desc as src_type
FIELDALIAS-dest_type_dummy = violation_category_desc as dest_type
FIELDALIAS-user_name_dummy = client_ip as user_name
EVAL-vendor_account = "Not available"
EVAL-vendor_region = "Not available"
EVAL-mitre_technique_id = "T1071"
# To support searches for Dashboard panels
LOOKUP-severity_waf = waf_severity_custom severity_type OUTPUT severity_level
FIELDALIAS-adc_ip_address_dummy = ip_address as adc_ip_address
LOOKUP-severity_waf = waf_severity_custom severity_type_desc OUTPUT severity_level
# FIELDALIAS-adc_ip_address_dummy = client_ip as adc_ip_address
FIELDALIAS-application_name_dummy = appname as application_name
EVAL-event_category = "WAF"
FIELDALIAS-violation_detection_mechanism_dummy = violation_category as violation_detection_mechanism
FIELDALIAS-attack_category_indicator_dummy = violation_category as attack_category_indicator
FIELDALIAS-violation_detection_mechanism_dummy = violation_category_desc as violation_detection_mechanism
FIELDALIAS-attack_category_indicator_dummy = violation_category_desc as attack_category_indicator
EVAL-ip_address = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))
EVAL-client_ip_address = floor(source_ip_address/16777216).".".(floor(source_ip_address/65536)-256*floor(source_ip_address/16777216)).".".(floor(source_ip_address/256)-256*floor(source_ip_address/65536)).".".(floor(source_ip_address)-256*(floor(source_ip_address/256)))

[account_takeover]
Expand Down
2 changes: 1 addition & 1 deletion citrix_cim_normalizer/lookups/violation_action_type.csv
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
violation_action,action
violation_action_desc,action
Not Blocked,allowed
Transformed,allowed
Unknown,allowed
Expand Down
4 changes: 2 additions & 2 deletions citrix_cim_normalizer/lookups/waf_severity.csv
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
severity_type,severity
severity_type_desc,severity
Critical,critical
Medium,medium
Low,low
None,informational
None,informational
2 changes: 1 addition & 1 deletion citrix_cim_normalizer/lookups/waf_severity_custom.csv
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
severity_type,severity_level
severity_type_desc,severity_level
Critical,CRITICAL
High,HIGH
Medium,MEDIUM
Expand Down

0 comments on commit a3df190

Please sign in to comment.