| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.metron.parsing.parsers; |
| |
| import oi.thekraken.grok.api.Grok; |
| import oi.thekraken.grok.api.Match; |
| import oi.thekraken.grok.api.exception.GrokException; |
| import org.apache.commons.io.IOUtils; |
| import org.json.simple.JSONObject; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import java.io.File; |
| import java.io.FileOutputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.text.ParseException; |
| import java.text.SimpleDateFormat; |
| import java.util.ArrayList; |
| import java.util.Date; |
| import java.util.List; |
| import java.util.Map; |
| |
| public class BasicYafParser extends BasicParser { |
| |
| |
| /** |
| * The default field names for Snort Alerts. |
| */ |
| private String[] fieldNames = new String[] { |
| "start-time", |
| "end-time", |
| "duration", |
| "rtt", |
| "proto", |
| "sip", |
| "sp", |
| "dip", |
| "dp", |
| "iflags", |
| "uflags", |
| "riflags", |
| "ruflags", |
| "isn", |
| "risn", |
| "tag", |
| "rtag", |
| "pkt", |
| "oct", |
| "rpkt", |
| "roct", |
| "app", |
| "end-reason" |
| }; |
| |
| private String recordDelimiter = "\\|"; |
| |
| private transient Grok grok; |
| private transient InputStream pattern_url; |
| |
| public static final String PREFIX = "stream2file"; |
| public static final String SUFFIX = ".tmp"; |
| |
| public static File stream2file(InputStream in) throws IOException { |
| final File tempFile = File.createTempFile(PREFIX, SUFFIX); |
| tempFile.deleteOnExit(); |
| try (FileOutputStream out = new FileOutputStream(tempFile)) { |
| IOUtils.copy(in, out); |
| } |
| return tempFile; |
| } |
| |
| protected static final Logger _LOG = LoggerFactory |
| .getLogger(BasicBroParser.class); |
| private JSONCleaner cleaner = new JSONCleaner(); |
| |
| @Override |
| public void init() { |
| // pattern_url = Resources.getResource("patterns/asa"); |
| |
| pattern_url = getClass().getClassLoader().getResourceAsStream( |
| "patterns/yaf"); |
| |
| File file = null; |
| try { |
| file = stream2file(pattern_url); |
| } catch (IOException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| try { |
| grok = Grok.create(file.getPath()); |
| } catch (GrokException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| |
| try { |
| grok.compile("%{YAF_DELIMITED}"); |
| } catch (GrokException e) { |
| // TODO Auto-generated catch block |
| e.printStackTrace(); |
| } |
| } |
| |
| @SuppressWarnings("unchecked") |
| public List<JSONObject> parse(byte[] msg) { |
| //return parseManual(msg); |
| return parseWithGrok(msg); |
| } |
| |
| private List<JSONObject> parseWithGrok(byte[] msg) { |
| _LOG.trace("[Metron] Starting to parse incoming message with grok"); |
| JSONObject jsonMessage = new JSONObject(); |
| List<JSONObject> messages = new ArrayList<>(); |
| try { |
| String rawMessage = new String(msg, "UTF-8"); |
| |
| Match gm = grok.match(rawMessage); |
| gm.captures(); |
| Map grokMap = gm.toMap(); |
| jsonMessage.putAll(gm.toMap()); |
| |
| jsonMessage.put("original_string", rawMessage); |
| String startTime = (String) grokMap.get("start_time"); |
| long timestamp = 0L; |
| if (startTime != null) { |
| timestamp = toEpoch(startTime); |
| jsonMessage.put("timestamp", timestamp); |
| } else { |
| jsonMessage.put("timestamp", "0"); |
| } |
| String endTime = (String) grokMap.get("end_time"); |
| if (endTime != null) { |
| jsonMessage.put("end_time", toEpoch(endTime)); |
| } else { |
| jsonMessage.put("end_time", "0"); |
| } |
| jsonMessage.remove("YAF_DELIMITED"); |
| jsonMessage.remove("start_time"); |
| messages.add(jsonMessage); |
| } catch (Exception e) { |
| e.printStackTrace(); |
| return null; |
| } |
| return messages; |
| } |
| |
| private JSONObject parseManual(byte[] msg) { |
| _LOG.trace("[Metron] Starting to parse incoming message"); |
| |
| JSONObject jsonMessage = new JSONObject(); |
| try { |
| String rawMessage = new String(msg, "UTF-8"); |
| String[] records = rawMessage.split(recordDelimiter, -1); |
| |
| // validate the number of fields |
| if (records.length != fieldNames.length) { |
| throw new IllegalArgumentException("Unexpected number of fields, expected: " + fieldNames.length + " got: " + records.length); |
| } |
| |
| // build the json record from each field |
| for (int i=0; i<records.length; i++) { |
| |
| String field = fieldNames[i]; |
| String record = records[i].trim(); |
| |
| if("start-time".equals(field) || "end-time".equals(field)) { |
| // convert the timestamp to epoch |
| String timeFieldName = "start-time".equals(field) ? "timestamp" : field; |
| jsonMessage.put(timeFieldName, toEpoch(record)); |
| } else { |
| jsonMessage.put(field, record); |
| } |
| } |
| |
| jsonMessage.put("original_string", rawMessage); |
| |
| } catch (Exception e) { |
| |
| _LOG.error("Unable to Parse Message: " + msg); |
| e.printStackTrace(); |
| return null; |
| } |
| |
| return jsonMessage; |
| } |
| |
| private long toEpoch(String datetime) throws ParseException { |
| SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.S z"); |
| Date date = sdf.parse(datetime + " UTC"); |
| return date.getTime(); |
| } |
| } |