Unifi s01 parser

Hi all,

still doing an attempt at writing a s01 Unifi parser... I have gotten it working a fair bit, however I have now added a 2nd line (which follows the same structure and should work afaik) but it doesn't...

Parser:

pattern_syntax:
  ACTION: '(A|D|R)'
  ZONE: '(LAN|WAN|LOCAL|VPN|DMZ)'
nodes:
  - grok:
      pattern: '^\[%{ZONE:src_zone}_%{ZONE:dst_zone}-%{ACTION:action}-%{INT:rule_id}\] DESCR="%{DATA:fw_descr}" IN=%{DATA:skip1} SRC=%{IP:source_ip} DST=%{IP:dst_ip} LEN=%{DATA:skip2} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} %{GREEDYDATA:unparsed_remainder}'
      apply_on: message

pattern_syntax:
  ACTION: '(A|D|R)'
  ZONE: '(LAN|WAN|LOCAL|VPN|DMZ)'
nodes:
  - grok:
      pattern: '^\[%{ZONE:src_zone}_%{ZONE:dst_zone}-%{ACTION:action}-%{INT:rule_id}\] DESCR="%{DATA:fw_descr}" IN=%{DATA:skip1} SRC=%{IP:source_ip} DST=%{IP:dst_ip} LEN=%{DATA:skip2} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} %{GREEDYDATA:unparsed_remainder}'
      apply_on: message

log lines:

Jun 13 23:29:15 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00 SRC=119.93.140.247 DST=1.1.1.1 LEN=122 TOS=00 PREC=0x00 TTL=49 ID=45366 DF PROTO=UDP SPT=38451 DPT=54329 LEN=102 MARK=1a0000
Jun 14 00:07:58 UDMP-DTC [LAN_WAN-R-10001] DESCR="block-test" IN=br202 OUT=eth8 MAC=74:ac:b9:1c:62:e6:bc:24:11:e9:c6:69:08:00 SRC=192.168.202.12 DST=1.1.1.1 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=62762 DF PROTO=ICMP TYPE=8 CODE=0 ID=5541 SEQ=18 MARK=1a0000

Jun 13 23:29:15 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00 SRC=119.93.140.247 DST=1.1.1.1 LEN=122 TOS=00 PREC=0x00 TTL=49 ID=45366 DF PROTO=UDP SPT=38451 DPT=54329 LEN=102 MARK=1a0000
Jun 14 00:07:58 UDMP-DTC [LAN_WAN-R-10001] DESCR="block-test" IN=br202 OUT=eth8 MAC=74:ac:b9:1c:62:e6:bc:24:11:e9:c6:69:08:00 SRC=192.168.202.12 DST=1.1.1.1 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=62762 DF PROTO=ICMP TYPE=8 CODE=0 ID=5541 SEQ=18 MARK=1a0000

CrowdSec•9mo ago•

3 replies

PintjesBier

Unifi s01 parser

pattern_syntax:
  ACTION: '(A|D|R)'
  ZONE: '(LAN|WAN|LOCAL|VPN|DMZ)'
nodes:
  - grok:
      pattern: '^\[%{ZONE:src_zone}_%{ZONE:dst_zone}-%{ACTION:action}-%{INT:rule_id}\] DESCR="%{DATA:fw_descr}" IN=%{DATA:skip1} SRC=%{IP:source_ip} DST=%{IP:dst_ip} LEN=%{DATA:skip2} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} %{GREEDYDATA:unparsed_remainder}'
      apply_on: message

pattern_syntax:
  ACTION: '(A|D|R)'
  ZONE: '(LAN|WAN|LOCAL|VPN|DMZ)'
nodes:
  - grok:
      pattern: '^\[%{ZONE:src_zone}_%{ZONE:dst_zone}-%{ACTION:action}-%{INT:rule_id}\] DESCR="%{DATA:fw_descr}" IN=%{DATA:skip1} SRC=%{IP:source_ip} DST=%{IP:dst_ip} LEN=%{DATA:skip2} PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port} %{GREEDYDATA:unparsed_remainder}'
      apply_on: message

log lines:

Jun 13 23:29:15 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00 SRC=119.93.140.247 DST=1.1.1.1 LEN=122 TOS=00 PREC=0x00 TTL=49 ID=45366 DF PROTO=UDP SPT=38451 DPT=54329 LEN=102 MARK=1a0000
Jun 14 00:07:58 UDMP-DTC [LAN_WAN-R-10001] DESCR="block-test" IN=br202 OUT=eth8 MAC=74:ac:b9:1c:62:e6:bc:24:11:e9:c6:69:08:00 SRC=192.168.202.12 DST=1.1.1.1 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=62762 DF PROTO=ICMP TYPE=8 CODE=0 ID=5541 SEQ=18 MARK=1a0000

Jun 13 23:29:15 UDMP-DTC [WAN_LOCAL-D-2147483647] DESCR="[WAN_LOCAL]Block All Traffic" IN=eth8 OUT= MAC=74:ac:b9:1c:62:e5:00:17:10:2b:31:a9:08:00 SRC=119.93.140.247 DST=1.1.1.1 LEN=122 TOS=00 PREC=0x00 TTL=49 ID=45366 DF PROTO=UDP SPT=38451 DPT=54329 LEN=102 MARK=1a0000
Jun 14 00:07:58 UDMP-DTC [LAN_WAN-R-10001] DESCR="block-test" IN=br202 OUT=eth8 MAC=74:ac:b9:1c:62:e6:bc:24:11:e9:c6:69:08:00 SRC=192.168.202.12 DST=1.1.1.1 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=62762 DF PROTO=ICMP TYPE=8 CODE=0 ID=5541 SEQ=18 MARK=1a0000

Unifi s01 parser

Similar Threads

Unifi s01 parser

Similar Threads

Similar Threads

Similar Threads