Last active
June 2, 2021 18:01
-
-
Save emyl/d987eb14fa53960cd21a625320e708f0 to your computer and use it in GitHub Desktop.
Palo Alto Minemeld support files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module(load="imtcp") | |
| module(load="pmpanngfw") | |
| module(load="mmnormalize") | |
| module(load="omrabbitmq") | |
| $template alljson,"%$!all-json%\n" | |
| ruleset(name="pan-ngfw" parser=["rsyslog.panngfw", "rsyslog.rfc5424", "rsyslog.rfc3164"]) { | |
| action(type="mmnormalize" rulebase="/etc/rsyslog.d/palo_alto_networks.rb" userawmsg="on") | |
| if strlen($!unparsed-data) == 0 then { | |
| if $!log_subtype == "url" then set $!url = $!misc; | |
| *.* action(type="omrabbitmq" | |
| host="localhost" | |
| virtual_host="/" | |
| user="guest" | |
| password="guest" | |
| exchange="mmeld-syslog" | |
| routing_key="" | |
| exchange_type="fanout" | |
| delivery_mode="1" | |
| auto_delete="off" | |
| body_template="alljson") | |
| } | |
| *.* stop | |
| } | |
| input(type="imtcp" port="13514" ruleset="pan-ngfw") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # TRAFFIC rules | |
| rule=TRAFFIC,TRAFFIC_FIELDS_7_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09TRAFFIC\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%bytes:char-sep:\x09%\x09%bytes_out:char-sep:\x09%\x09%bytes_in:char-sep:\x09%\x09%packets:char-sep:\x09%\x09%start_time:char-sep:\x09%\x09%duration:char-sep:\x09%\x09%category:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%packets_out:char-sep:\x09%\x09%packets_in:char-sep:\x09%\x09%session_end_reason:char-sep:\x09%\x09%dg_hier_level_1:char-sep:\x09%\x09%dg_hier_level_2:char-sep:\x09%\x09%dg_hier_level_3:char-sep:\x09%\x09%dg_hier_level_4:char-sep:\x09%\x09%vsys_name:char-sep:\x09%\x09%device_name:char-sep:\x09%\x09%action_source:char-sep:\x09% | |
| rule=TRAFFIC,TRAFFIC_FIELDS_6_1:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09TRAFFIC\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%bytes:char-sep:\x09%\x09%bytes_out:char-sep:\x09%\x09%bytes_in:char-sep:\x09%\x09%packets:char-sep:\x09%\x09%start_time:char-sep:\x09%\x09%duration:char-sep:\x09%\x09%category:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%packets_out:char-sep:\x09%\x09%packets_in:char-sep:\x09%\x09%session_end_reason:char-sep:\x09% | |
| rule=TRAFFIC,TRAFFIC_FIELDS_6_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09TRAFFIC\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%bytes:char-sep:\x09%\x09%bytes_out:char-sep:\x09%\x09%bytes_in:char-sep:\x09%\x09%packets:char-sep:\x09%\x09%start_time:char-sep:\x09%\x09%duration:char-sep:\x09%\x09%category:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%packets_out:char-sep:\x09%\x09%packets_in:char-sep:\x09% | |
| # THREAT rules | |
| rule=THREAT,THREAT_FIELDS_7_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09THREAT\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%misc:char-sep:\x09%\x09%threat_name:char-sep:\x09%\x09%category:char-sep:\x09%\x09%severity:char-sep:\x09%\x09%direction:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%content_type:char-sep:\x09%\x09%pcap_id:char-sep:\x09%\x09%url_idx:char-sep:\x09%\x09%cloud_address:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%user_agent:char-sep:\x09%\x09%filetype:char-sep:\x09%\x09%xff:char-sep:\x09%\x09%referrer:char-sep:\x09%\x09%sender:char-sep:\x09%\x09%subject:char-sep:\x09%\x09%recipient:char-sep:\x09%\x09%report_id:char-sep:\x09%\x09%dg_hier_level_1:char-sep:\x09%\x09%dg_hier_level_2:char-sep:\x09%\x09%dg_hier_level_3:char-sep:\x09%\x09%dg_hier_level_4:char-sep:\x09%\x09%vsys_name:char-sep:\x09%\x09%device_name:char-sep:\x09%\x09%file_url:char-sep:\x09% | |
| rule=THREAT,THREAT_FIELDS_8_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09THREAT\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%misc:char-sep:\x09%\x09%threat_name:char-sep:\x09%\x09%category:char-sep:\x09%\x09%severity:char-sep:\x09%\x09%direction:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%content_type:char-sep:\x09%\x09%pcap_id:char-sep:\x09%\x09%url_idx:char-sep:\x09%\x09%cloud_address:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%user_agent:char-sep:\x09%\x09%filetype:char-sep:\x09%\x09%xff:char-sep:\x09%\x09%referrer:char-sep:\x09%\x09%sender:char-sep:\x09%\x09%subject:char-sep:\x09%\x09%recipient:char-sep:\x09%\x09%report_id:char-sep:\x09%\x09%dg_hier_level_1:char-sep:\x09%\x09%dg_hier_level_2:char-sep:\x09%\x09%dg_hier_level_3:char-sep:\x09%\x09%dg_hier_level_4:char-sep:\x09%\x09%vsys_name:char-sep:\x09%\x09%device_name:char-sep:\x09%\x09%file_url:char-sep:\x09%\x09%8_0_unknown_1:char-sep:\x09%\x09%8_0_unknown_2:char-sep:\x09%\x09%8_0_unknown_3:char-sep:\x09%\x09%8_0_unknown_4:char-sep:\x09%\x09%8_0_unknown_5:char-sep:\x09%\x09%8_0_unknown_6:char-sep:\x09%\x09%8_0_unknown_7:char-sep:\x09%\x09%8_0_unknown_8:char-sep:\x09%\x09%8_0_unknown_9:char-sep:\x09%\x09%8_0_unknown_10:char-sep:\x09%\x09%8_0_unknown_11:char-sep:\x09% | |
| rule=THREAT,THREAT_FIELDS_5_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09THREAT\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%misc:char-sep:\x09%\x09%threat_name:char-sep:\x09%\x09%category:char-sep:\x09%\x09%severity:char-sep:\x09%\x09%direction:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%content_type:char-sep:\x09% | |
| rule=THREAT,THREAT_FIELDS_6_1:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09THREAT\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%misc:char-sep:\x09%\x09%threat_name:char-sep:\x09%\x09%category:char-sep:\x09%\x09%severity:char-sep:\x09%\x09%direction:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%content_type:char-sep:\x09%\x09%pcap_id:char-sep:\x09%\x09%url_idx:char-sep:\x09%\x09%cloud_address:char-sep:\x09%\x09%future_use5:char-sep:\x09%\x09%user_agent:char-sep:\x09%\x09%filetype:char-sep:\x09%\x09%xff:char-sep:\x09%\x09%referrer:char-sep:\x09%\x09%sender:char-sep:\x09%\x09%subject:char-sep:\x09%\x09%recipient:char-sep:\x09%\x09%report_id:char-sep:\x09% | |
| rule=THREAT,THREAT_FIELDS_6_0:%future_use1:char-sep:\x09%\x09%receive_time:char-sep:\x09%\x09%serial_number:char-sep:\x09%\x09THREAT\x09%log_subtype:char-sep:\x09%\x09%future_use2:char-sep:\x09%\x09%generated_time:char-sep:\x09%\x09%src_ip:char-sep:\x09%\x09%dest_ip:char-sep:\x09%\x09%src_translated_ip:char-sep:\x09%\x09%dest_translated_ip:char-sep:\x09%\x09%rule:char-sep:\x09%\x09%src_user:char-sep:\x09%\x09%dest_user:char-sep:\x09%\x09%app:char-sep:\x09%\x09%virtual_system:char-sep:\x09%\x09%src_zone:char-sep:\x09%\x09%dest_zone:char-sep:\x09%\x09%src_interface:char-sep:\x09%\x09%dest_interface:char-sep:\x09%\x09%log_forwarding_profile:char-sep:\x09%\x09%future_use3:char-sep:\x09%\x09%session_id:char-sep:\x09%\x09%repeat_count:char-sep:\x09%\x09%src_port:char-sep:\x09%\x09%dest_port:char-sep:\x09%\x09%src_translated_port:char-sep:\x09%\x09%dest_translated_port:char-sep:\x09%\x09%flags:char-sep:\x09%\x09%protocol:char-sep:\x09%\x09%action:char-sep:\x09%\x09%misc:char-sep:\x09%\x09%threat_name:char-sep:\x09%\x09%category:char-sep:\x09%\x09%severity:char-sep:\x09%\x09%direction:char-sep:\x09%\x09%sequence_number:char-sep:\x09%\x09%action_flags:char-sep:\x09%\x09%src_location:char-sep:\x09%\x09%dest_location:char-sep:\x09%\x09%future_use4:char-sep:\x09%\x09%content_type:char-sep:\x09%\x09%pcap_id:char-sep:\x09%\x09%url_idx:char-sep:\x09%\x09%cloud_address:char-sep:\x09% | |
| annotate=TRAFFIC:+type="TRAFFIC" | |
| annotate=THREAT:+type="THREAT" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment