metron-platform/metron-parsing/metron-parsers/src/test/java/org/apache/metron/parsers/asa/BasicAsaParserTest.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.metron.parsers.asa;

import org.apache.log4j.Level;
import org.apache.metron.parsers.interfaces.MessageParser;
import org.apache.metron.test.utils.UnitTestHelper;
import org.json.simple.JSONObject;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.Map;

import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.*;

public class BasicAsaParserTest {

    private static BasicAsaParser asaParser;
    private Map<String, Object> parserConfig;

    @BeforeEach
    public void setUp() throws Exception {
        parserConfig = new HashMap<>();
        asaParser = new BasicAsaParser();
        asaParser.configure(parserConfig);
        asaParser.init();
    }

    @Test
    public void testConfigureDefault() {
        BasicAsaParser testParser = new BasicAsaParser();
        testParser.configure(parserConfig);
        testParser.init();
        assertEquals(testParser.deviceClock.getZone(), ZoneOffset.UTC);
    }

    @Test
    public void testConfigureTimeZoneOffset() {
        parserConfig.put("deviceTimeZone", "UTC-05:00");
        BasicAsaParser testParser = new BasicAsaParser();
        testParser.configure(parserConfig);
        testParser.init();
        ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone());
        ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5));
        assertTrue(deviceTime.isEqual(referenceTime));
    }

    @Test
    public void testConfigureTimeZoneText() {
        parserConfig.put("deviceTimeZone", "America/New_York");
        BasicAsaParser testParser = new BasicAsaParser();
        testParser.configure(parserConfig);
        testParser.init();
        ZonedDateTime deviceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), testParser.deviceClock.getZone());
        ZonedDateTime referenceTime = ZonedDateTime.ofInstant(Instant.ofEpochSecond(1475323200), ZoneOffset.ofHours(-5));
        assertTrue(deviceTime.isEqual(referenceTime));
    }

    @Test
    public void testCISCOFW106023() {
        String rawMessage = "<164>Aug 05 2016 01:01:34: %ASA-4-106023: Deny tcp src Inside:10.30.9.121/54580 dst Outside:192.168.135.51/42028 by access-group \"Inside_access_in\" [0x962df600, 0x0]";
        JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(asaJson.get("original_string"), rawMessage);
        assertEquals("10.30.9.121", asaJson.get("ip_src_addr"));
        assertEquals("192.168.135.51", asaJson.get("ip_dst_addr"));
        assertEquals(54580, asaJson.get("ip_src_port"));
        assertEquals(42028, asaJson.get("ip_dst_port"));
        assertEquals(1470358894000L, (long) asaJson.get("timestamp"));
    }

    @Test
    public void testCISCOFW106006() {
        String rawMessage = "<162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside";
        JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(asaJson.get("original_string"), rawMessage);
        assertEquals("10.25.177.164", asaJson.get("ip_src_addr"));
        assertEquals("10.2.52.71", asaJson.get("ip_dst_addr"));
        assertEquals(63279, asaJson.get("ip_src_port"));
        assertEquals(161, asaJson.get("ip_dst_port"));
        assertEquals(1470358945000L, (long) asaJson.get("timestamp"));
    }

    @Test
    public void testShortTimestamp() {
        String rawMessage = "<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name)";

        ZonedDateTime fixedInstant =
                ZonedDateTime.of(2016, 1, 6, 1, 30, 30, 0, ZoneOffset.UTC);
        Clock fixedClock = Clock.fixed(fixedInstant.toInstant(), fixedInstant.getZone());

        BasicAsaParser fixedClockParser = new BasicAsaParser();
        fixedClockParser.deviceClock = fixedClock;
        fixedClockParser.init();

        JSONObject asaJson = fixedClockParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(asaJson.get("original_string"), rawMessage);
        assertEquals("10.22.8.110", asaJson.get("ip_src_addr"));
        assertEquals("192.111.72.8", asaJson.get("ip_dst_addr"));
        assertEquals(49886, asaJson.get("ip_src_port"));
        assertEquals(8612, asaJson.get("ip_dst_port"));
        assertEquals(1452005555000L, (long) asaJson.get("timestamp"));
    }

    @Test
    public void testNoPatternForTag() {
        String rawMessage = "<165>Aug 16 2016 04:08:36: %ASA-5-713049: Group = 172.22.136.20, IP = 172.22.136.20, Security negotiation complete for LAN-to-LAN Group (172.22.136.20)  Initiator, Inbound SPI = 0x891fb03f, Outbound SPI = 0xbe4b5d8d";
        JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(asaJson.get("original_string"), rawMessage);
        assertEquals(1471320516000L, (long) asaJson.get("timestamp"));
    }

    @Test
    public void testInvalidIpAddr() {
        String rawMessage = "<164>Aug 05 2016 01:01:34: %ASA-4-106023: Deny tcp src Inside:10.30.9.121/54580 dst Outside:192.168.256.51/42028 by access-group \"Inside_access_in\" [0x962df600, 0x0]";
        JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(asaJson.get("original_string"), rawMessage);
        assertEquals(1470358894000L, (long) asaJson.get("timestamp"));
        assertNull(asaJson.get("ip_dst_addr"));
    }

    @Test
    public void testIp6Addr() {
        String rawMessage = "<174>Jan 05 2016 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:2001:db8:85a3::8a2e:370:7334/49886 (10.22.8.110/49886) to inside:2001:0db8:85a3:0000:0000:8a2e:0370:7334/8612 (192.111.72.8/8612) (user.name)";
        JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals(rawMessage, asaJson.get("original_string"));
        assertEquals("2001:db8:85a3::8a2e:370:7334", asaJson.get("ip_src_addr"));
        assertEquals("2001:0db8:85a3:0000:0000:8a2e:0370:7334", asaJson.get("ip_dst_addr"));
        assertEquals(49886, asaJson.get("ip_src_port"));
        assertEquals(8612, asaJson.get("ip_dst_port"));
        assertEquals(1452005555000L, asaJson.get("timestamp"));
    }

    @Test
    public void testSyslogIpHost() {
    	String rawMessage = "<174>Jan  5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name)";
    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals("10.22.8.212", asaJson.get("syslog_host"));
    }

    @Test
    public void testSyslogHost() {
    	String rawMessage = "<174>Jan  5 14:52:35 hostname-2 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name)";
    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
        assertEquals("hostname-2", asaJson.get("syslog_host"));
    }

    @Test
    public void testSyslogHostAndProg() {
    	String rawMessage = "<174>Jan  5 14:52:35 hostname-2 progName-2 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name)";
    	JSONObject asaJson = asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0);
    	assertEquals("hostname-2", asaJson.get("syslog_host"));
    	assertEquals("progName-2", asaJson.get("syslog_prog"));
    }

    @Test
    public void testUnexpectedMessage() {
        String rawMessage = "-- MARK --";
        UnitTestHelper.setLog4jLevel(BasicAsaParser.class, Level.FATAL);
        RuntimeException e = assertThrows(RuntimeException.class,
                () -> asaParser.parse(rawMessage.getBytes(StandardCharsets.UTF_8)).get(0));
        assertTrue(e.getMessage().startsWith("[Metron] Message '-- MARK --'"));
        UnitTestHelper.setLog4jLevel(BasicAsaParser.class, Level.ERROR);
    }

    @Test
    public void getsReadCharsetFromConfig() {
      parserConfig.put(MessageParser.READ_CHARSET, StandardCharsets.UTF_16.toString());
      asaParser.configure(parserConfig);
      assertThat(asaParser.getReadCharset(), equalTo(StandardCharsets.UTF_16));
    }

    @Test
    public void getsReadCharsetFromDefault() {
      asaParser.configure(parserConfig);
      assertThat(asaParser.getReadCharset(), equalTo(StandardCharsets.UTF_8));
    }
}