-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathfuncs.py
142 lines (132 loc) · 5.53 KB
/
funcs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/env python
########################################################################
# RSA2ELK, by Vincent Maury
# Converts Netwitness log parser configuration to Logstash configuration
# see https://github.com/blookot/rsa2elk
########################################################################
import config
import re
# carriage return for logstash conf, just \n for linux
CR = "\n"
# insert n times a tab
def t(n):
t=""
for i in range(0,n):
t=t+"\t"
return t
# remove dots in field names
def removeDots(s):
if "." in s:
return "[" + s.replace(".","][") + "]"
else:
return s
# extract date fields from functions string, example is @event_time:*EVNTTIME($MSG,'%B %F %N:%U:%O %W',datetime)
def extractDateFields(s):
eventtime = s.find("EVNTTIME")
if eventtime != -1:
# go to the third parameter of the EVENTTIME func to extract the field
a = s.find(",",eventtime)
if a != -1:
b = s.find(",",a+1)
if b>a:
c = s.find(")",b+1)
return s[b+1:c]
return ""
# extract date parsing format from functions string and convert to logstash format
# change date, ref is https://community.rsa.com/docs/DOC-85016 pages 37-38 vs https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html#plugins-filters-date-match
# for example "10/Oct/2000:13:55:36 -0700" is parsed in RSA with "%D/%B/%W:%N:%U:%O" and "dd/MMM/yyyy:HH:mm:ss" in logstash
def convertDate(s):
c = ""
eventtime = s.find("EVNTTIME")
if eventtime != -1:
# extract the date format between the ''
a = s.find("'",eventtime)
if a != -1:
b = s.find("'",a+1)
if b>a:
sub = s[a+1:b]
# replace static chars
regex = re.compile("([a-zA-Z]+)") # just matching a letter
for i in range(0,len(sub)):
if regex.match(sub[i]):
# if first character is a letter, escape it
if i == 0:
c = c + "'" + sub[i] + "'"
else:
# if char not preceded by a %, escape it
if sub[i-1:i] != '%':
c = c + "'" + sub[i] + "'"
else:
# otherwise add it
c = c + sub[i]
else:
# otherwise add it
c = c + sub[i]
# replace the specific chars by their logstash date filter equivalent
c = c.replace("%C", "M/d/yy H:m:s")
c = c.replace("%R", "MMMM")
c = c.replace("%B", "MMM")
c = c.replace("%M", "MM")
c = c.replace("%G", "M")
c = c.replace("%D", "dd")
c = c.replace("%F", "d")
c = c.replace("%H", "HH")
c = c.replace("%I", "HH")
c = c.replace("%N", "H")
c = c.replace("%T", "mm")
c = c.replace("%U", "m")
c = c.replace("%J", "D")
c = c.replace("%P", "a")
c = c.replace("%S", "ss")
c = c.replace("%O", "s")
c = c.replace("%Y", "yy")
c = c.replace("%W", "yyyy")
c = c.replace("%Z", "H:m:s")
c = c.replace("%A", "D")
c = c.replace("%X", "UNIX")
if '%' in c and config.DEBUG: print("Missing a condition in date conversion")
return c
# converting STRCAT
def convertStrcat(s):
c = ""
regex = re.compile("^[a-zA-Z]+.*") # just saying the string starts with a letter
# grab first (
iFirstPar = s.find("(")
iEndPar = s.find(")", iFirstPar)
if iFirstPar > 0 and iEndPar > 0:
idParts = str.split(s[iFirstPar+1:iEndPar], ",")
# check for static strings vs fields
for idPart in idParts:
if "'" in idPart:
# catenate a string
c = c + str.strip(idPart.replace("'", ""))
elif "\"" in idPart:
# catenate a string
c = c + str.strip(idPart.r("\"", ""))
elif regex.match(idPart.strip()):
# first character is [a-z] ie a field
c = c + "%{" + idPart.strip() + "}"
elif idPart == "\t":
# just a tab
c = c + "\\t"
else:
# any other char, just append
c = c + idPart.strip()
return c
else:
if config.DEBUG: print("Couldn't parse STRCAT string")
return ""
# escaping " in grok content, and adding anchors if passed as param
def escapeGrok(s):
if config.NO_GROK_ANCHORS:
return "\"" + str.strip(s.replace("\"","\\\"")) + "\""
else:
return "\"^" + str.strip(s.replace("\"","\\\"")) + "$\""
# escape special characters in grok : \ . ^ $ * + - ? ( ) [ ] { } |
def escapeRegex(s):
s = s.replace("\\", "\\\\"); s = s.replace(".", "\\."); s = s.replace("^", "\\^"); s = s.replace("$", "\\$")
s = s.replace("*", "\\*"); s = s.replace("+", "\\+"); s = s.replace("-", "\\-"); s = s.replace("?", "\\?")
s = s.replace("(", "\\("); s = s.replace(")", "\\)"); s = s.replace("[", "\\["); s = s.replace("]", "\\]")
s = s.replace("{", "\\{"); s = s.replace("}", "\\}"); s = s.replace("|", "\\|")
s = s.replace(chr(9), "\\t"); s = s.replace(chr(10), "\\n"); s = s.replace(chr(13), "\\r"); s = s.replace(" ", "\\s")
return s