From 2add7cbe4331a19514a04d715762992093a7a5ef Mon Sep 17 00:00:00 2001 From: StefanSa Date: Fri, 17 Jul 2020 12:42:13 +0200 Subject: [PATCH 01/14] junipersrx-module initial release --- filebeat/docs/fields.asciidoc | 1201 ++++++++++ filebeat/docs/modules/junipersrx.asciidoc | 141 ++ filebeat/docs/modules_list.asciidoc | 2 + filebeat/filebeat.reference.yml | 15 + filebeat/include/list.go | 1 + filebeat/module/junipersrx/_meta/config.yml | 13 + .../module/junipersrx/_meta/docs.asciidoc | 128 ++ filebeat/module/junipersrx/_meta/fields.yml | 9 + filebeat/module/junipersrx/fields.go | 36 + .../junipersrx/firewall/_meta/fields.yml | 597 +++++ .../junipersrx/firewall/config/firewall.yml | 31 + .../module/junipersrx/firewall/ingest/atp.yml | 349 +++ .../junipersrx/firewall/ingest/flow.yml | 380 ++++ .../module/junipersrx/firewall/ingest/idp.yml | 287 +++ .../module/junipersrx/firewall/ingest/ids.yml | 363 +++ .../junipersrx/firewall/ingest/pipeline.yml | 226 ++ .../junipersrx/firewall/ingest/secintel.yml | 349 +++ .../module/junipersrx/firewall/ingest/utm.yml | 388 ++++ .../module/junipersrx/firewall/manifest.yml | 26 + .../module/junipersrx/firewall/test/atp.log | 4 + .../firewall/test/atp.log-expected.json | 208 ++ .../module/junipersrx/firewall/test/flow.log | 25 + .../firewall/test/flow.log-expected.json | 1956 +++++++++++++++++ .../module/junipersrx/firewall/test/idp.log | 7 + .../firewall/test/idp.log-expected.json | 487 ++++ .../module/junipersrx/firewall/test/ids.log | 12 + .../firewall/test/ids.log-expected.json | 627 ++++++ .../junipersrx/firewall/test/secintel.log | 2 + .../firewall/test/secintel.log-expected.json | 125 ++ .../module/junipersrx/firewall/test/utm.log | 12 + .../firewall/test/utm.log-expected.json | 609 +++++ filebeat/module/junipersrx/module.yml | 1 + filebeat/modules.d/junipersrx.yml.disabled | 16 + x-pack/filebeat/filebeat.reference.yml | 15 + 34 files changed, 8648 insertions(+) create mode 100644 filebeat/docs/modules/junipersrx.asciidoc create mode 100644 filebeat/module/junipersrx/_meta/config.yml create mode 100644 filebeat/module/junipersrx/_meta/docs.asciidoc create mode 100644 filebeat/module/junipersrx/_meta/fields.yml create mode 100644 filebeat/module/junipersrx/fields.go create mode 100644 filebeat/module/junipersrx/firewall/_meta/fields.yml create mode 100644 filebeat/module/junipersrx/firewall/config/firewall.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/atp.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/flow.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/idp.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/ids.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/pipeline.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/secintel.yml create mode 100644 filebeat/module/junipersrx/firewall/ingest/utm.yml create mode 100644 filebeat/module/junipersrx/firewall/manifest.yml create mode 100644 filebeat/module/junipersrx/firewall/test/atp.log create mode 100644 filebeat/module/junipersrx/firewall/test/atp.log-expected.json create mode 100644 filebeat/module/junipersrx/firewall/test/flow.log create mode 100644 filebeat/module/junipersrx/firewall/test/flow.log-expected.json create mode 100644 filebeat/module/junipersrx/firewall/test/idp.log create mode 100644 filebeat/module/junipersrx/firewall/test/idp.log-expected.json create mode 100644 filebeat/module/junipersrx/firewall/test/ids.log create mode 100644 filebeat/module/junipersrx/firewall/test/ids.log-expected.json create mode 100644 filebeat/module/junipersrx/firewall/test/secintel.log create mode 100644 filebeat/module/junipersrx/firewall/test/secintel.log-expected.json create mode 100644 filebeat/module/junipersrx/firewall/test/utm.log create mode 100644 filebeat/module/junipersrx/firewall/test/utm.log-expected.json create mode 100644 filebeat/module/junipersrx/module.yml create mode 100644 filebeat/modules.d/junipersrx.yml.disabled diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b66c11633671..d8a9851ffeae 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -49,6 +49,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -88076,6 +88077,1206 @@ type: keyword -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[[exported-fields-junipersrx]] +== junipersrx fields + +junipersrx Module + + + +[float] +=== junipersrx + + + + +[float] +=== firewall + +Module for parsing junipersrx syslog. + + + +*`junipersrx.firewall.reason`*:: ++ +-- +reason + + +type: keyword + +-- + +*`junipersrx.firewall.source-address`*:: ++ +-- +source address + + +type: ip + +-- + +*`junipersrx.firewall.source-port`*:: ++ +-- +source port + + +type: integer + +-- + +*`junipersrx.firewall.destination-address`*:: ++ +-- +destination address + + +type: ip + +-- + +*`junipersrx.firewall.destination-port`*:: ++ +-- +destination port + + +type: integer + +-- + +*`junipersrx.firewall.connection-tag`*:: ++ +-- +connection tag + + +type: keyword + +-- + +*`junipersrx.firewall.service-name`*:: ++ +-- +service name + + +type: keyword + +-- + +*`junipersrx.firewall.nat-source-address`*:: ++ +-- +nat source address + + +type: ip + +-- + +*`junipersrx.firewall.nat-source-port`*:: ++ +-- +nat source port + + +type: integer + +-- + +*`junipersrx.firewall.nat-destination-address`*:: ++ +-- +nat destination address + + +type: ip + +-- + +*`junipersrx.firewall.nat-destination-port`*:: ++ +-- +nat destination port + + +type: integer + +-- + +*`junipersrx.firewall.nat-connection-tag`*:: ++ +-- +nat connection tag + + +type: keyword + +-- + +*`junipersrx.firewall.src-nat-rule-type`*:: ++ +-- +src nat rule type + + +type: keyword + +-- + +*`junipersrx.firewall.src-nat-rule-name`*:: ++ +-- +src nat rule name + + +type: keyword + +-- + +*`junipersrx.firewall.dst-nat-rule-type`*:: ++ +-- +dst nat rule type + + +type: keyword + +-- + +*`junipersrx.firewall.dst-nat-rule-name`*:: ++ +-- +dst nat rule name + + +type: keyword + +-- + +*`junipersrx.firewall.protocol-id`*:: ++ +-- +protocol id + + +type: keyword + +-- + +*`junipersrx.firewall.policy-name`*:: ++ +-- +policy name + + +type: keyword + +-- + +*`junipersrx.firewall.source-zone-name`*:: ++ +-- +source zone name + + +type: keyword + +-- + +*`junipersrx.firewall.source-zone`*:: ++ +-- +source zone + + +type: keyword + +-- + +*`junipersrx.firewall.destination-zone-name`*:: ++ +-- +destination zone name + + +type: keyword + +-- + +*`junipersrx.firewall.destination-zone`*:: ++ +-- +destination zone + + +type: keyword + +-- + +*`junipersrx.firewall.session-id-32`*:: ++ +-- +session id 32 + + +type: keyword + +-- + +*`junipersrx.firewall.session-id`*:: ++ +-- +session id + + +type: keyword + +-- + +*`junipersrx.firewall.packets-from-client`*:: ++ +-- +packets from client + + +type: integer + +-- + +*`junipersrx.firewall.outbound-packets`*:: ++ +-- +packets from client + + +type: integer + +-- + +*`junipersrx.firewall.bytes-from-client`*:: ++ +-- +bytes from client + + +type: integer + +-- + +*`junipersrx.firewall.outbound-bytes`*:: ++ +-- +bytes from client + + +type: integer + +-- + +*`junipersrx.firewall.packets-from-server`*:: ++ +-- +packets from server + + +type: integer + +-- + +*`junipersrx.firewall.inbound-packets`*:: ++ +-- +packets from server + + +type: integer + +-- + +*`junipersrx.firewall.bytes-from-server`*:: ++ +-- +bytes from server + + +type: integer + +-- + +*`junipersrx.firewall.inbound-bytes`*:: ++ +-- +bytes from server + + +type: integer + +-- + +*`junipersrx.firewall.elapsed-time`*:: ++ +-- +elapsed time + + +type: date + +-- + +*`junipersrx.firewall.application`*:: ++ +-- +application + + +type: keyword + +-- + +*`junipersrx.firewall.nested-application`*:: ++ +-- +nested application + + +type: keyword + +-- + +*`junipersrx.firewall.username`*:: ++ +-- +username + + +type: keyword + +-- + +*`junipersrx.firewall.roles`*:: ++ +-- +roles + + +type: keyword + +-- + +*`junipersrx.firewall.packet-incoming-interface`*:: ++ +-- +packet incoming interface + + +type: keyword + +-- + +*`junipersrx.firewall.encrypted`*:: ++ +-- +encrypted + + +type: keyword + +-- + +*`junipersrx.firewall.application-category`*:: ++ +-- +application category + + +type: keyword + +-- + +*`junipersrx.firewall.application-sub-category`*:: ++ +-- +application sub category + + +type: keyword + +-- + +*`junipersrx.firewall.application-risk`*:: ++ +-- +application risk + + +type: integer + +-- + +*`junipersrx.firewall.urlcategory-risk`*:: ++ +-- +urlcategory risk + + +type: integer + +-- + +*`junipersrx.firewall.application-characteristics`*:: ++ +-- +application characteristics + + +type: keyword + +-- + +*`junipersrx.firewall.secure-web-proxy-session-type`*:: ++ +-- +secure web proxy session type + + +type: keyword + +-- + +*`junipersrx.firewall.peer-session-id`*:: ++ +-- +peer session id + + +type: keyword + +-- + +*`junipersrx.firewall.peer-source-address`*:: ++ +-- +peer source address + + +type: ip + +-- + +*`junipersrx.firewall.peer-source-port`*:: ++ +-- +peer source port + + +type: integer + +-- + +*`junipersrx.firewall.peer-destination-address`*:: ++ +-- +peer destination address + + +type: ip + +-- + +*`junipersrx.firewall.peer-destination-port`*:: ++ +-- +peer destination port + + +type: integer + +-- + +*`junipersrx.firewall.hostname`*:: ++ +-- +hostname + + +type: keyword + +-- + +*`junipersrx.firewall.src-vrf-grp`*:: ++ +-- +src-vrf-grp + + +type: keyword + +-- + +*`junipersrx.firewall.dst-vrf-grp`*:: ++ +-- +dst-vrf-grp + + +type: keyword + +-- + +*`junipersrx.firewall.icmp-type`*:: ++ +-- +icmp type + + +type: integer + +-- + +*`junipersrx.firewall.process`*:: ++ +-- +process that generated the message + + +type: keyword + +-- + +*`junipersrx.firewall.apbr-rule-type`*:: ++ +-- +apbr rule type + + +type: keyword + +-- + +*`junipersrx.firewall.dscp-value`*:: ++ +-- +apbr rule type + + +type: integer + +-- + +*`junipersrx.firewall.logical-system-name`*:: ++ +-- +logical system name + + +type: keyword + +-- + +*`junipersrx.firewall.destination-interface-name`*:: ++ +-- +destination interface name + + +type: keyword + +-- + +*`junipersrx.firewall.profile-name`*:: ++ +-- +profile name + + +type: keyword + +-- + +*`junipersrx.firewall.routing-instance`*:: ++ +-- +routing instance + + +type: keyword + +-- + +*`junipersrx.firewall.rule-name`*:: ++ +-- +rule name + + +type: keyword + +-- + +*`junipersrx.firewall.uplink-tx-bytes`*:: ++ +-- +uplink tx bytes + + +type: integer + +-- + +*`junipersrx.firewall.uplink-rx-bytes`*:: ++ +-- +uplink rx bytes + + +type: integer + +-- + +*`junipersrx.firewall.obj`*:: ++ +-- +url path + + +type: keyword + +-- + +*`junipersrx.firewall.url`*:: ++ +-- +url domain + + +type: keyword + +-- + +*`junipersrx.firewall.profile`*:: ++ +-- +filter profile + + +type: keyword + +-- + +*`junipersrx.firewall.category`*:: ++ +-- +filter category + + +type: keyword + +-- + +*`junipersrx.firewall.filename`*:: ++ +-- +filename + + +type: keyword + +-- + +*`junipersrx.firewall.temporary-filename`*:: ++ +-- +temporary-filename + + +type: keyword + +-- + +*`junipersrx.firewall.name`*:: ++ +-- +name + + +type: keyword + +-- + +*`junipersrx.firewall.error-message`*:: ++ +-- +error-message + + +type: keyword + +-- + +*`junipersrx.firewall.error-code`*:: ++ +-- +error-code + + +type: keyword + +-- + +*`junipersrx.firewall.action`*:: ++ +-- +action + + +type: keyword + +-- + +*`junipersrx.firewall.protocol`*:: ++ +-- +protocol + + +type: keyword + +-- + +*`junipersrx.firewall.protocol-name`*:: ++ +-- +protocol name + + +type: keyword + +-- + +*`junipersrx.firewall.type`*:: ++ +-- +type + + +type: keyword + +-- + +*`junipersrx.firewall.repeat-count`*:: ++ +-- +repeat count + + +type: integer + +-- + +*`junipersrx.firewall.alert`*:: ++ +-- +repeat alert + + +type: keyword + +-- + +*`junipersrx.firewall.message-type`*:: ++ +-- +message type + + +type: keyword + +-- + +*`junipersrx.firewall.threat-severity`*:: ++ +-- +threat severity + + +type: keyword + +-- + +*`junipersrx.firewall.application-name`*:: ++ +-- +application name + + +type: keyword + +-- + +*`junipersrx.firewall.attack-name`*:: ++ +-- +attack name + + +type: keyword + +-- + +*`junipersrx.firewall.index`*:: ++ +-- +index + + +type: keyword + +-- + +*`junipersrx.firewall.message`*:: ++ +-- +mesagge + + +type: keyword + +-- + +*`junipersrx.firewall.epoch-time`*:: ++ +-- +epoch time + + +type: date + +-- + +*`junipersrx.firewall.packet-log-id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`junipersrx.firewall.export-id`*:: ++ +-- +packet log id + + +type: integer + +-- + +*`junipersrx.firewall.ddos-application-name`*:: ++ +-- +ddos application name + + +type: keyword + +-- + +*`junipersrx.firewall.connection-hit-rate`*:: ++ +-- +connection hit rate + + +type: integer + +-- + +*`junipersrx.firewall.time-scope`*:: ++ +-- +time scope + + +type: keyword + +-- + +*`junipersrx.firewall.context-hit-rate`*:: ++ +-- +context hit rate + + +type: integer + +-- + +*`junipersrx.firewall.context-value-hit-rate`*:: ++ +-- +context value hit rate + + +type: integer + +-- + +*`junipersrx.firewall.time-count`*:: ++ +-- +time count + + +type: integer + +-- + +*`junipersrx.firewall.time-period`*:: ++ +-- +time period + + +type: integer + +-- + +*`junipersrx.firewall.context-value`*:: ++ +-- +context value + + +type: keyword + +-- + +*`junipersrx.firewall.context-name`*:: ++ +-- +context name + + +type: keyword + +-- + +*`junipersrx.firewall.ruleebase-name`*:: ++ +-- +ruleebase name + + +type: keyword + +-- + +*`junipersrx.firewall.interface-name`*:: ++ +-- +interface name + + +type: keyword + +-- + +*`junipersrx.firewall.verdict-source`*:: ++ +-- +verdict source + + +type: keyword + +-- + +*`junipersrx.firewall.verdict-number`*:: ++ +-- +verdict number + + +type: integer + +-- + +*`junipersrx.firewall.http-host`*:: ++ +-- +http host + + +type: keyword + +-- + +*`junipersrx.firewall.file-category`*:: ++ +-- +file category + + +type: keyword + +-- + +*`junipersrx.firewall.sample-sha256`*:: ++ +-- +sample sha256 + + +type: keyword + +-- + +*`junipersrx.firewall.malware-info`*:: ++ +-- +malware info + + +type: keyword + +-- + +*`junipersrx.firewall.client-ip`*:: ++ +-- +client ip + + +type: ip + +-- + +*`junipersrx.firewall.tenant-id`*:: ++ +-- +tenant id + + +type: keyword + +-- + +*`junipersrx.firewall.timestamp`*:: ++ +-- +timestamp + + +type: date + +-- + +*`junipersrx.firewall.th`*:: ++ +-- +th + + +type: keyword + +-- + +*`junipersrx.firewall.status`*:: ++ +-- +status + + +type: keyword + +-- + +*`junipersrx.firewall.state`*:: ++ +-- +state + + +type: keyword + +-- + +*`junipersrx.firewall.file-hash-lookup`*:: ++ +-- +file hash lookup + + +type: keyword + +-- + +*`junipersrx.firewall.file-name`*:: ++ +-- +file name + + +type: keyword + +-- + +*`junipersrx.firewall.action-detail`*:: ++ +-- +action detail + + +type: keyword + +-- + +*`junipersrx.firewall.sub-category`*:: ++ +-- +sub category + + +type: keyword + +-- + +*`junipersrx.firewall.feed-name`*:: ++ +-- +feed name + + +type: keyword + +-- + +*`junipersrx.firewall.occur-count`*:: ++ +-- +occur count + + +type: integer + +-- + +*`junipersrx.firewall.tag`*:: ++ +-- +system log message tag, which uniquely identifies the message. + + type: keyword -- diff --git a/filebeat/docs/modules/junipersrx.asciidoc b/filebeat/docs/modules/junipersrx.asciidoc new file mode 100644 index 000000000000..767e9bf1c816 --- /dev/null +++ b/filebeat/docs/modules/junipersrx.asciidoc @@ -0,0 +1,141 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-junipersrx]] +[role="xpack"] + +:modulename: junipersrx +:has-dashboards: false + +== Juniper-SRX module + +This is a module for Juniper-SRX OS logs sent in the syslog format. + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + + + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== JunOS ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| JunOS Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index cd466617a94c..68811e1db05e 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -32,6 +32,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -100,6 +101,7 @@ include::modules/imperva.asciidoc[] include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] include::modules/juniper.asciidoc[] +include::modules/junipersrx.asciidoc[] include::modules/kafka.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index bf29e0715ed0..e41c52315fae 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -187,6 +187,21 @@ filebeat.modules: # can be added under this section. #input: +#------------------------------ Junipersrx Module ------------------------------ +- module: junipersrx + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs diff --git a/filebeat/include/list.go b/filebeat/include/list.go index 519d0e715819..1e115fe6cdd8 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -37,6 +37,7 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/haproxy" _ "github.com/elastic/beats/v7/filebeat/module/icinga" _ "github.com/elastic/beats/v7/filebeat/module/iis" + _ "github.com/elastic/beats/v7/filebeat/module/junipersrx" _ "github.com/elastic/beats/v7/filebeat/module/kafka" _ "github.com/elastic/beats/v7/filebeat/module/kibana" _ "github.com/elastic/beats/v7/filebeat/module/logstash" diff --git a/filebeat/module/junipersrx/_meta/config.yml b/filebeat/module/junipersrx/_meta/config.yml new file mode 100644 index 000000000000..8272e20dbfd7 --- /dev/null +++ b/filebeat/module/junipersrx/_meta/config.yml @@ -0,0 +1,13 @@ +- module: junipersrx + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/filebeat/module/junipersrx/_meta/docs.asciidoc b/filebeat/module/junipersrx/_meta/docs.asciidoc new file mode 100644 index 000000000000..02a06270ef04 --- /dev/null +++ b/filebeat/module/junipersrx/_meta/docs.asciidoc @@ -0,0 +1,128 @@ +[role="xpack"] + +:modulename: junipersrx +:has-dashboards: false + +== Juniper-SRX module + +This is a module for Juniper-SRX OS logs sent in the syslog format. + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + + + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: firewall + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `firewall` fileset settings + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== JunOS ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| JunOS Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:modulename!: diff --git a/filebeat/module/junipersrx/_meta/fields.yml b/filebeat/module/junipersrx/_meta/fields.yml new file mode 100644 index 000000000000..de09a76f8d54 --- /dev/null +++ b/filebeat/module/junipersrx/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: junipersrx + title: "junipersrx" + description: > + junipersrx Module + fields: + - name: junipersrx + type: group + description: > + fields: diff --git a/filebeat/module/junipersrx/fields.go b/filebeat/module/junipersrx/fields.go new file mode 100644 index 000000000000..4964270b28e0 --- /dev/null +++ b/filebeat/module/junipersrx/fields.go @@ -0,0 +1,36 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package junipersrx + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "junipersrx", asset.ModuleFieldsPri, AssetJunipersrx); err != nil { + panic(err) + } +} + +// AssetJunipersrx returns asset data. +// This is the base64 encoded gzipped contents of module/junipersrx. +func AssetJunipersrx() string { + return "eJzEm0GSo7gShvd1ioxeP71Fv3iz8GJuMGeYkEUa1JYlJiWq7Dn9hASuFiAbcCXT3pUJf/9PSiklKUrAGW8H+NFZ3SJ5ur4BBB0MHuDbzy+/vQFU6BXpNmhnD/D7GwBkv4I/XNUZfAM4aTSVP6TrAqy84IQeP+HW4gFqcl07fFOgj1k576QJP6QxnxdKxPghNCg9HuCIQWbfV3iSnQl/JoEDnKTxOLpcMNN/+vuEkyNoJXlt6zwK/uaNq/+b/WJ6C/ltEErv7OjS/UbOePtwVE2uPfHV3+2IV9T0riOFQlYVofdFbd1uk+2RMEU+k28dhbK2DVgjvWRgBC2qV+iDtjJyWCOQcdeFITfCG4vcynJAlLMWVbIRZM03E39yIeeWpwTSu1Yo4l98DgYqjKhFfSuD2CErrAybMiOzwTsjMiPLEyK62CtLopHNmTI1xB+bbRkT/eyVNdHNpswhJaIf6gyKqMuYPqSSnYiGEXrZCXMi506Ws7nyYa+YVD5sicnICW9MRk6WY9KSC045I/RU5wse7lDIoGV1Z7S6MUegh66492FJ/dtZ9onZr6mRvM3HLhbW1xs7hCJfQlfGY+poPzNL1Yf30YOuxP++c5YfCQu6ggy74GAP+YXclOqMwYsTuYtQRqNl3FwHOEQ4TOBFN64LR9fZSgy//IVWjreAO4UloV8ISvrdL7MxmimxuJ7pcQ3PBF50o+2/MVHWOMkmCndUshHaEpP95skaF2hk67ESQT/YYCoZphcWHAxIGCGL4rJtjVZp6edbS0vQ8qMB+oCV2MVEz17vpfNIvHv8jFjUJWceTL7XOloj3JOFSWir3EXbWsRJTiepOIvNJAF3CZhLlFPBKrq1ARn39TlyKQ+EkgFrR7ddEgJm9EU/vjvu7Ml3xxd8kfZnvlUz9zMhl/OVzN0ys5OMPHayPHMaSVIFJO2DVoxZPZpAD0QelMqqIxQfeBQtuetN3Gtn5uZHkoEPPEKS+Synlx/6W0QSe1T0Eby+rE8u+HuavYkNTc3cCG/nLrey3LVLPvbqayYrmxubM0s7xGdba7NxPvDWDDNiOatJiXc6iZqmgf9a23AGLapXPvCrl6Dlol1d2ser10sjH5FrVipy6lEGvNoQjEAIjQxQo0WSsWQNDcIFvZc1Lm2Csj3SHo3byF3ftVWteJemYxyRLfrG1VpJI/zNB7ww9+kGOPTwjV26z6p3x+bhp8a6rvZJs7fWB+oKfXJd6B84fJCW83ljIMOMXPbBf74wP1d4VLa2RtuzCFfurkMPhnCFKfiZD9rLB019FF244w++MejIQCtD81yyI8MrWbmL1AvNhSFH+IRP2gSkGbcozv/sOKive2SMBnmTbUYs6ga8tI4k3QS/gyfsohde9WU9JHIk5kXEF4XL2CcOlKvY5UfMclWkmPuZarl9eD/cZd1Xx8Snuvyben9WvSLPWCvP5XqPsMX0SknHecbUU2FMLc8ugw8eO198BTEJj6lF4SHvmEv9gboi8KGhGHiP70g6MG4nPRhm4HL4s34b75zPm2zL016GINWZ20KCrlDXtsIrn+4Y92z2sU48WS9uI61TDevRWASuOBgbDkmMqx81Jb9wWhofKxdbknhtHYVfpV5Vzov9ci3iNyZc9g5ho4Og+dB/ITLZS4SNDjCClxdDfUHhlWPd+/QFYcx8FImA17BPGCJ5ZQzuPlLzZ0c3ib9lXJhrgzQuKyqDpN0iaceYs0l8Al0eDb5JORqEdQ54l4q7gRX9pc4gHqXfo7mTuKs25n16flv6fO9IlVb3l+P5PAxcmHCferDd5cj5is/dw4Rb9NCE0IrGecZqPSJhhCwqpzbrLn0XXNl18fLSGhS+kd///xufgx4LE2y5YJTmQxIKbU+OsWrsqTCillej9I6emJ1NvnZk2dPyn5W3ALTSPizaXuw1ReRiwRb3CR/kpXy72wvlOa8s2zDe6ULr1gcZOsbztxnvoSrnqxJhsYZJq0cjfSOMc+eO75Q1rR8RDBPwYxusu9jKc6K+3yYqDFLzNdR6Kkyo5SHf442r9S9ZnRAr5sAjVisC75TqiLl6TsxV1TPnP4YN57XxSfezwSXr/8BHo1UDndV/dWhuoCu0QZ80+vzU/ed/I7/9EwAA///WpfnD" +} diff --git a/filebeat/module/junipersrx/firewall/_meta/fields.yml b/filebeat/module/junipersrx/firewall/_meta/fields.yml new file mode 100644 index 000000000000..64dd3498e427 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/_meta/fields.yml @@ -0,0 +1,597 @@ +- name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing junipersrx syslog. + fields: + - name: reason + type: keyword + description: > + reason + + - name: source-address + type: ip + description: > + source address + + - name: source-port + type: integer + description: > + source port + + - name: destination-address + type: ip + description: > + destination address + + - name: destination-port + type: integer + description: > + destination port + + - name: connection-tag + type: keyword + description: > + connection tag + + - name: service-name + type: keyword + description: > + service name + + - name: nat-source-address + type: ip + description: > + nat source address + + - name: nat-source-port + type: integer + description: > + nat source port + + - name: nat-destination-address + type: ip + description: > + nat destination address + + - name: nat-destination-port + type: integer + description: > + nat destination port + + - name: nat-connection-tag + type: keyword + description: > + nat connection tag + + - name: src-nat-rule-type + type: keyword + description: > + src nat rule type + + - name: src-nat-rule-name + type: keyword + description: > + src nat rule name + + - name: dst-nat-rule-type + type: keyword + description: > + dst nat rule type + + - name: dst-nat-rule-name + type: keyword + description: > + dst nat rule name + + - name: protocol-id + type: keyword + description: > + protocol id + + - name: policy-name + type: keyword + description: > + policy name + + - name: source-zone-name + type: keyword + description: > + source zone name + + - name: source-zone + type: keyword + description: > + source zone + + - name: destination-zone-name + type: keyword + description: > + destination zone name + + - name: destination-zone + type: keyword + description: > + destination zone + + - name: session-id-32 + type: keyword + description: > + session id 32 + + - name: session-id + type: keyword + description: > + session id + + - name: packets-from-client + type: integer + description: > + packets from client + + - name: outbound-packets + type: integer + description: > + packets from client + + - name: bytes-from-client + type: integer + description: > + bytes from client + + - name: outbound-bytes + type: integer + description: > + bytes from client + + - name: packets-from-server + type: integer + description: > + packets from server + + - name: inbound-packets + type: integer + description: > + packets from server + + - name: bytes-from-server + type: integer + description: > + bytes from server + + - name: inbound-bytes + type: integer + description: > + bytes from server + + - name: elapsed-time + type: date + description: > + elapsed time + + - name: application + type: keyword + description: > + application + + - name: nested-application + type: keyword + description: > + nested application + + - name: username + type: keyword + description: > + username + + - name: roles + type: keyword + description: > + roles + + - name: packet-incoming-interface + type: keyword + description: > + packet incoming interface + + - name: encrypted + type: keyword + description: > + encrypted + + - name: application-category + type: keyword + description: > + application category + + - name: application-sub-category + type: keyword + description: > + application sub category + + - name: application-risk + type: integer + description: > + application risk + + - name: urlcategory-risk + type: integer + description: > + urlcategory risk + + - name: application-characteristics + type: keyword + description: > + application characteristics + + - name: secure-web-proxy-session-type + type: keyword + description: > + secure web proxy session type + + - name: peer-session-id + type: keyword + description: > + peer session id + + - name: peer-source-address + type: ip + description: > + peer source address + + - name: peer-source-port + type: integer + description: > + peer source port + + - name: peer-destination-address + type: ip + description: > + peer destination address + + - name: peer-destination-port + type: integer + description: > + peer destination port + + - name: hostname + type: keyword + description: > + hostname + + - name: src-vrf-grp + type: keyword + description: > + src-vrf-grp + + - name: dst-vrf-grp + type: keyword + description: > + dst-vrf-grp + + - name: icmp-type + type: integer + description: > + icmp type + + - name: process + type: keyword + description: > + process that generated the message + + - name: apbr-rule-type + type: keyword + description: > + apbr rule type + + - name: dscp-value + type: integer + description: > + apbr rule type + + - name: logical-system-name + type: keyword + description: > + logical system name + + - name: destination-interface-name + type: keyword + description: > + destination interface name + + - name: profile-name + type: keyword + description: > + profile name + + - name: routing-instance + type: keyword + description: > + routing instance + + - name: rule-name + type: keyword + description: > + rule name + + - name: uplink-tx-bytes + type: integer + description: > + uplink tx bytes + + - name: uplink-rx-bytes + type: integer + description: > + uplink rx bytes + + - name: obj + type: keyword + description: > + url path + + - name: url + type: keyword + description: > + url domain + + - name: profile + type: keyword + description: > + filter profile + + - name: category + type: keyword + description: > + filter category + + - name: filename + type: keyword + description: > + filename + + - name: temporary-filename + type: keyword + description: > + temporary-filename + + - name: name + type: keyword + description: > + name + + - name: error-message + type: keyword + description: > + error-message + + - name: error-code + type: keyword + description: > + error-code + + - name: action + type: keyword + description: > + action + + - name: protocol + type: keyword + description: > + protocol + + - name: protocol-name + type: keyword + description: > + protocol name + + - name: type + type: keyword + description: > + type + + - name: repeat-count + type: integer + description: > + repeat count + + - name: alert + type: keyword + description: > + repeat alert + + - name: message-type + type: keyword + description: > + message type + + - name: threat-severity + type: keyword + description: > + threat severity + + - name: application-name + type: keyword + description: > + application name + + - name: attack-name + type: keyword + description: > + attack name + + - name: index + type: keyword + description: > + index + + - name: message + type: keyword + description: > + mesagge + + - name: epoch-time + type: date + description: > + epoch time + + - name: packet-log-id + type: integer + description: > + packet log id + + - name: export-id + type: integer + description: > + packet log id + + - name: ddos-application-name + type: keyword + description: > + ddos application name + + - name: connection-hit-rate + type: integer + description: > + connection hit rate + + - name: time-scope + type: keyword + description: > + time scope + + - name: context-hit-rate + type: integer + description: > + context hit rate + + - name: context-value-hit-rate + type: integer + description: > + context value hit rate + + - name: time-count + type: integer + description: > + time count + + - name: time-period + type: integer + description: > + time period + + - name: context-value + type: keyword + description: > + context value + + - name: context-name + type: keyword + description: > + context name + + - name: ruleebase-name + type: keyword + description: > + ruleebase name + + - name: interface-name + type: keyword + description: > + interface name + + - name: verdict-source + type: keyword + description: > + verdict source + + - name: verdict-number + type: integer + description: > + verdict number + + - name: http-host + type: keyword + description: > + http host + + - name: file-category + type: keyword + description: > + file category + + - name: sample-sha256 + type: keyword + description: > + sample sha256 + + - name: malware-info + type: keyword + description: > + malware info + + - name: client-ip + type: ip + description: > + client ip + + - name: tenant-id + type: keyword + description: > + tenant id + + - name: timestamp + type: date + description: > + timestamp + + - name: th + type: keyword + description: > + th + + - name: status + type: keyword + description: > + status + + - name: state + type: keyword + description: > + state + + - name: file-hash-lookup + type: keyword + description: > + file hash lookup + + - name: file-name + type: keyword + description: > + file name + + - name: action-detail + type: keyword + description: > + action detail + + - name: sub-category + type: keyword + description: > + sub category + + - name: feed-name + type: keyword + description: > + feed name + + - name: occur-count + type: integer + description: > + occur count + + - name: tag + type: keyword + description: > + system log message tag, which uniquely identifies the message. + diff --git a/filebeat/module/junipersrx/firewall/config/firewall.yml b/filebeat/module/junipersrx/firewall/config/firewall.yml new file mode 100644 index 000000000000..3490fde4aaff --- /dev/null +++ b/filebeat/module/junipersrx/firewall/config/firewall.yml @@ -0,0 +1,31 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: + - add_locale: ~ + + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/filebeat/module/junipersrx/firewall/ingest/atp.yml b/filebeat/module/junipersrx/firewall/ingest/atp.yml new file mode 100644 index 000000000000..b0635cdc3527 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/atp.yml @@ -0,0 +1,349 @@ +description: Pipeline for parsing junipersrx firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.junipersrx?.firewall?.tag) && ctx.junipersrx?.firewall?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.junipersrx?.firewall?.tag) && ctx.junipersrx?.firewall?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - diened + - connection + if: "ctx.junipersrx?.firewall?.action == 'BLOCK' || ctx.junipersrx?.firewall?.tag == 'AAMW_MALWARE_EVENT_LOG'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.junipersrx?.firewall?.action != 'BLOCK' && ctx.junipersrx?.firewall?.tag != 'AAMW_MALWARE_EVENT_LOG'" +- set: + field: event.action + value: malware_detected + if: "ctx.junipersrx?.firewall?.action == 'BLOCK' || ctx.junipersrx?.firewall?.tag == 'AAMW_MALWARE_EVENT_LOG'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" +- rename: + field: junipersrx.firewall.hostname + target_field: source.address + ignore_missing: true + if: "ctx.junipersrx?.firewall?.hostname != null" +- rename: + field: junipersrx.firewall.client-ip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['client-ip'] != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: junipersrx.firewall.http-host + target_field: url.domain + ignore_missing: true + if: "ctx.junipersrx?.firewall['http-host'] != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: junipersrx.firewall.protocol-id + target_field: network.iana_number + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-id'] != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.bytes-from-client + - junipersrx.firewall.packets-from-client + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.bytes-from-server + - junipersrx.firewall.packets-from-server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/flow.yml b/filebeat/module/junipersrx/firewall/ingest/flow.yml new file mode 100644 index 000000000000..ccdd4d8b3f67 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/flow.yml @@ -0,0 +1,380 @@ +description: Pipeline for parsing junipersrx firewall logs (flow pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- rename: + field: junipersrx.firewall.application-risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.junipersrx?.firewall['application-risk'] != null" +- append: + field: event.type + value: + - start + - allowed + - connection + if: "ctx.junipersrx?.firewall?.tag.endsWith('CREATE') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE') || ctx.junipersrx?.firewall?.tag.endsWith('CREATE_LS') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE_LS')" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.junipersrx?.firewall?.tag.endsWith('CLOSE') || ctx.junipersrx?.firewall?.tag.endsWith('CLOSE_LS')" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.junipersrx?.firewall?.tag.endsWith('DENY') || ctx.junipersrx?.firewall?.tag.endsWith('DENY_LS')" +- set: + field: event.action + value: flow_started + if: "ctx.junipersrx?.firewall?.tag.endsWith('CREATE') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE') || ctx.junipersrx?.firewall?.tag.endsWith('CREATE_LS') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE_LS')" +- set: + field: event.action + value: flow_close + if: "ctx.junipersrx?.firewall?.tag.endsWith('CLOSE') || ctx.junipersrx?.firewall?.tag.endsWith('CLOSE_LS')" +- set: + field: event.action + value: flow_deny + if: "ctx.junipersrx?.firewall?.tag.endsWith('DENY') || ctx.junipersrx?.firewall?.tag.endsWith('DENY_LS')" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: junipersrx.firewall.policy-name + target_field: rule.name + ignore_missing: true + if: "ctx.junipersrx?.firewall['policy-name'] != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: junipersrx.firewall.protocol-id + target_field: network.iana_number + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-id'] != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx['network']['bytes'] = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx['network']['packets'] = ctx.client.packets + ctx.server.packets" + if: "ctx?.client?.packets != null && ctx?.server?.packets != null" + ignore_failure: true + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' +- append: + if: 'ctx?.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' +- append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.bytes-from-client + - junipersrx.firewall.packets-from-client + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.bytes-from-server + - junipersrx.firewall.packets-from-server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/ingest/idp.yml b/filebeat/module/junipersrx/firewall/ingest/idp.yml new file mode 100644 index 000000000000..e57575243a2e --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/idp.yml @@ -0,0 +1,287 @@ +description: Pipeline for parsing junipersrx firewall logs (idp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - info + - diened + - connection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: application_ddos + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: security_threat + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.inbound-bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['inbound-bytes'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.inbound-packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['inbound-packets'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.outbound-bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['outbound-bytes'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.outbound-packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: junipersrx.firewall.rulebase-name + target_field: rule.name + ignore_missing: true + if: "ctx.junipersrx?.firewall['rulebase-name'] != null" +- rename: + field: junipersrx.firewall.rule-name + target_field: rule.id + ignore_missing: true + if: "ctx.junipersrx?.firewall['rule-name'] != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: junipersrx.firewall.protocol-name + target_field: network.protocol + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-name'] != null" + +######################### +## ECS message Mapping ## +######################### +- rename: + field: junipersrx.firewall.message + target_field: message + ignore_missing: true + if: "ctx.junipersrx?.firewall?.message != null" + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.outbound-bytes + - junipersrx.firewall.outbound-packets + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.inbound-bytes + - junipersrx.firewall.inbound-packets + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/ids.yml b/filebeat/module/junipersrx/firewall/ingest/ids.yml new file mode 100644 index 000000000000..166b42891989 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/ids.yml @@ -0,0 +1,363 @@ +description: Pipeline for parsing junipersrx firewall logs (ids pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - info + - diened + - connection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: flood_detected + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: scan_detected + if: "ctx.junipersrx?.firewall['attack-name'] == 'TCP port scan!'" +- set: + field: event.action + value: sweep_detected + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: fragment_detected + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: spoofing_detected + if: "ctx.junipersrx?.firewall['attack-name'] == 'IP spoofing!'" +- set: + field: event.action + value: session_limit_detected + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: attack_detected + if: '["Land attack!", "WinNuke attack!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: illegal_tcp_flag_detected + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.junipersrx?.firewall["attack-name"])' +- set: + field: event.action + value: tunneling_screen + if: ctx.junipersrx?.firewall['attack-name'].startsWith('Tunnel') + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: junipersrx.firewall.protocol-id + target_field: network.iana_number + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-id'] != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.bytes-from-client + - junipersrx.firewall.packets-from-client + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.bytes-from-server + - junipersrx.firewall.packets-from-server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/ingest/pipeline.yml b/filebeat/module/junipersrx/firewall/ingest/pipeline.yml new file mode 100644 index 000000000000..11cc51c846ec --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/pipeline.yml @@ -0,0 +1,226 @@ +# This module only supports syslog messages in the format "structured-data + brief" +# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html +description: Pipeline for parsing junipersrx firewall logs +processors: +- grok: + field: message + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' + +# split Juniper-SRX fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "junipersrx.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# +# Parse the date +# +- date: + if: "ctx.event.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + +# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. +# -> junipersrx.firewall.elapsed-time +- rename: + field: junipersrx.firewall.elapsed-time + target_field: junipersrx.firewall.duration + if: "ctx.junipersrx?.firewall['elapsed-time'] != null" + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.junipersrx?.firewall?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.junipersrx.firewall.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.junipersrx?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: junipersrx +- set: + field: event.dataset + value: junipersrx.firewall +- set: + field: event.severity + value: '{{syslog_pri}}' +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +##################### +## ECS Log Mapping ## +##################### +# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes +- set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency +- set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert +- set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical +- set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error +- set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning +- set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification +- set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational +- set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Juniper +- set: + field: observer.product + value: SRX +- set: + field: observer.type + value: firewall +- rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true +- rename: + field: junipersrx.firewall.packet-incoming-interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: junipersrx.firewall.destination-interface-name + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: junipersrx.firewall.source-interface-name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: junipersrx.firewall.interface-name + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: junipersrx.firewall.source-zone-name + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: junipersrx.firewall.source-zone + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: junipersrx.firewall.destination-zone-name + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: junipersrx.firewall.destination-zone + target_field: observer.egress.zone + ignore_missing: true +- rename: + field: syslog_program + target_field: junipersrx.firewall.process + ignore_missing: true +- rename: + field: log_type + target_field: junipersrx.firewall.tag + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _temp + - junipersrx.firewall.duration + - junipersrx.firewall.dir_disp + - junipersrx.firewall.srczone + - junipersrx.firewall.dstzone + - junipersrx.firewall.duration + - syslog_pri + - syslog_hostname + ignore_missing: true + +############################### +## Product Speific Pipelines ## +############################### +- pipeline: + name: '{< IngestPipeline "flow" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_FLOW'" +- pipeline: + name: '{< IngestPipeline "utm" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_UTM'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_IDP'" +- pipeline: + name: '{< IngestPipeline "ids" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_IDS'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_AAMW'" +- pipeline: + name: '{< IngestPipeline "secintel" >}' + if: "ctx.junipersrx?.firewall?.process == 'RT_SECINTEL'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/secintel.yml b/filebeat/module/junipersrx/firewall/ingest/secintel.yml new file mode 100644 index 000000000000..22b97ceb6ae0 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/secintel.yml @@ -0,0 +1,349 @@ +description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: 'ctx.junipersrx?.firewall?.tag == "SECINTEL_ACTION_LOG" && ctx.junipersrx?.firewall?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: 'ctx.junipersrx?.firewall?.tag == "SECINTEL_ACTION_LOG" && ctx.junipersrx?.firewall?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - diened + - connection + if: "ctx.junipersrx?.firewall?.action == 'BLOCK'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.junipersrx?.firewall?.action != 'BLOCK'" +- set: + field: event.action + value: malware_detected + if: "ctx.junipersrx?.firewall?.action == 'BLOCK'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" +- rename: + field: junipersrx.firewall.hostname + target_field: source.address + ignore_missing: true + if: "ctx.junipersrx?.firewall?.hostname != null" +- rename: + field: junipersrx.firewall.client-ip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['client-ip'] != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: junipersrx.firewall.http-host + target_field: url.domain + ignore_missing: true + if: "ctx.junipersrx?.firewall['http-host'] != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: junipersrx.firewall.protocol-id + target_field: network.iana_number + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-id'] != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.bytes-from-client + - junipersrx.firewall.packets-from-client + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.bytes-from-server + - junipersrx.firewall.packets-from-server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/ingest/utm.yml b/filebeat/module/junipersrx/firewall/ingest/utm.yml new file mode 100644 index 000000000000..119d166ac9ac --- /dev/null +++ b/filebeat/module/junipersrx/firewall/ingest/utm.yml @@ -0,0 +1,388 @@ +description: Pipeline for parsing junipersrx firewall logs (utm pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.junipersrx?.firewall?.tag != null" +- append: + field: event.category + value: network +- rename: + field: junipersrx.firewall.urlcategory-risk + target_field: event.risk_score + ignore_missing: true + if: "ctx.junipersrx?.firewall['urlcategory-risk'] != null" +- set: + field: event.kind + value: alert + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.category + value: malware + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - info + - diened + - connection + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: web_filter + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: content_filter + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: antispam_filter + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' +- set: + field: event.action + value: virus_detected + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: junipersrx.firewall.destination-address + target_field: destination.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-address'] != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: junipersrx.firewall.nat-destination-address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" +- convert: + field: junipersrx.firewall.destination-port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['destination-port'] != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: junipersrx.firewall.nat-destination-port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: junipersrx.firewall.source-address + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-address'] != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: junipersrx.firewall.nat-source-address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-address'] != null" +- rename: + field: junipersrx.firewall.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.junipersrx?.firewall?.sourceip != null" +- convert: + field: junipersrx.firewall.source-port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['source-port'] != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: junipersrx.firewall.nat-source-port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['nat-source-port'] != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: junipersrx.firewall.bytes-from-client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: junipersrx.firewall.packets-from-client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.junipersrx?.firewall['packets-from-client'] != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: junipersrx.firewall.username + target_field: source.user.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: junipersrx.firewall.policy-name + target_field: rule.name + ignore_missing: true + if: "ctx.junipersrx?.firewall['policy-name'] != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: junipersrx.firewall.url + target_field: url.domain + ignore_missing: true + if: "ctx.junipersrx?.firewall?.url != null" +- rename: + field: junipersrx.firewall.obj + target_field: url.path + ignore_missing: true + if: "ctx.junipersrx?.firewall?.obj != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: junipersrx.firewall.filename + target_field: file.name + ignore_missing: true + if: "ctx.junipersrx?.firewall?.filename != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: junipersrx.firewall.protocol + target_field: network.protocol + ignore_missing: true + if: "ctx.junipersrx?.firewall?.protocol != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: junipersrx.firewall.protocol-id + target_field: network.iana_number + ignore_missing: true + if: "ctx.junipersrx?.firewall['protocol-id'] != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - junipersrx.firewall.destination-port + - junipersrx.firewall.nat-destination-port + - junipersrx.firewall.bytes-from-client + - junipersrx.firewall.packets-from-client + - junipersrx.firewall.source-port + - junipersrx.firewall.nat-source-port + - junipersrx.firewall.bytes-from-server + - junipersrx.firewall.packets-from-server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/manifest.yml b/filebeat/module/junipersrx/firewall/manifest.yml new file mode 100644 index 000000000000..46c09a3f80bb --- /dev/null +++ b/filebeat/module/junipersrx/firewall/manifest.yml @@ -0,0 +1,26 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [junipersrx-firewall, forwarded] + - name: syslog_port + default: 9006 + - name: input + default: udp + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/flow.yml + - ingest/utm.yml + - ingest/idp.yml + - ingest/ids.yml + - ingest/atp.yml + - ingest/secintel.yml + +input: config/firewall.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/filebeat/module/junipersrx/firewall/test/atp.log b/filebeat/module/junipersrx/firewall/test/atp.log new file mode 100644 index 000000000000..95c8210f038a --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/atp.log @@ -0,0 +1,4 @@ +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/filebeat/module/junipersrx/firewall/test/atp.log-expected.json b/filebeat/module/junipersrx/firewall/test/atp.log-expected.json new file mode 100644 index 000000000000..42ee8ec4fc5b --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/atp.log-expected.json @@ -0,0 +1,208 @@ +[ + { + "@timestamp": "2013-12-14T14:06:59.134-02:00", + "client.ip": "10.10.10.1", + "client.port": 57116, + "destination.as.number": 28126, + "destination.as.organization.name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA", + "destination.geo.city_name": "Juazeiro do Norte", + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "BR", + "destination.geo.location.lat": -7.1467, + "destination.geo.location.lon": -39.247, + "destination.geo.region_iso_code": "BR-CE", + "destination.geo.region_name": "Ceara", + "destination.ip": "187.19.188.200", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "BLOCK", + "junipersrx.firewall.file-category": "executable", + "junipersrx.firewall.policy-name": "argon_policy", + "junipersrx.firewall.process": "RT_AAMW", + "junipersrx.firewall.session-id-32": "50000002", + "junipersrx.firewall.tag": "SRX_AAMW_ACTION_LOG", + "junipersrx.firewall.verdict-number": "8", + "junipersrx.firewall.verdict-source": "\u201dcloud/blacklist/whitelist\u201d", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "6", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "pinarello", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "187.19.188.200", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "10.10.10.1", + "source.port": 57116, + "source.user.name": "user1", + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "www.mytest.com" + }, + { + "@timestamp": "2016-09-20T15:43:30.330-02:00", + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.malware-info": "Eicar:TestVirus", + "junipersrx.firewall.process": "RT_AAMW", + "junipersrx.firewall.sample-sha256": "ABC123", + "junipersrx.firewall.tag": "AAMW_MALWARE_EVENT_LOG", + "junipersrx.firewall.tenant-id": "ABC123456", + "junipersrx.firewall.timestamp": "Thu Jun 23 09:55:38 2016", + "junipersrx.firewall.verdict-number": "9", + "log.level": "informational", + "log.offset": 529, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "service.type": "junipersrx", + "source.address": "host.example.com", + "source.ip": "192.0.2.0", + "source.user.name": "admin", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2016-09-20T15:40:30.050-02:00", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "junipersrx.firewall.policy-name": "default", + "junipersrx.firewall.process": "RT_AAMW", + "junipersrx.firewall.reason": "malware", + "junipersrx.firewall.state": "added", + "junipersrx.firewall.status": "in_progress", + "junipersrx.firewall.tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "junipersrx.firewall.tenant-id": "ABC123456", + "junipersrx.firewall.th": "7", + "junipersrx.firewall.timestamp": "Thu Jun 23 09:55:38 2016", + "log.level": "error", + "log.offset": 835, + "observer.name": "host-example", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "service.type": "junipersrx", + "source.address": "host.example.com", + "source.ip": "192.0.2.0", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.ip": "1.1.1.1", + "client.port": 60148, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "PERMIT", + "junipersrx.firewall.application": "HTTP", + "junipersrx.firewall.file-category": "executable", + "junipersrx.firewall.file-hash-lookup": "FALSE", + "junipersrx.firewall.file-name": "dummy_file", + "junipersrx.firewall.malware-info": "Testfile", + "junipersrx.firewall.policy-name": "test-policy", + "junipersrx.firewall.process": "RT_AAMW", + "junipersrx.firewall.sample-sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "junipersrx.firewall.session-id-32": "502156", + "junipersrx.firewall.tag": "AAMW_ACTION_LOG", + "junipersrx.firewall.url": "dummy_url", + "junipersrx.firewall.verdict-number": "10", + "log.level": "notification", + "log.offset": 1235, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "aamw1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "junipersrx", + "source.address": "dummy_host", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 60148, + "tags": [ + "junipersrx-firewall forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/test/flow.log b/filebeat/module/junipersrx/firewall/test/flow.log new file mode 100644 index 000000000000..400bceceeeef --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/flow.log @@ -0,0 +1,25 @@ +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="8.8.8.8" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/filebeat/module/junipersrx/firewall/test/flow.log-expected.json b/filebeat/module/junipersrx/firewall/test/flow.log-expected.json new file mode 100644 index 000000000000..5e7a13d7f227 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/flow.log-expected.json @@ -0,0 +1,1956 @@ +[ + { + "@timestamp": "2019-11-14T06:37:51.184-02:00", + "client.ip": "10.0.0.1", + "client.nat.port": 594, + "client.port": 594, + "destination.ip": "10.128.0.1", + "destination.nat.ip": "10.128.0.1", + "destination.nat.port": 10400, + "destination.port": 10400, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.nat-connection-tag": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "icmp", + "junipersrx.firewall.session-id-32": "6093", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "st0.0", + "observer.ingress.zone": "vpn", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.1", + "10.128.0.1", + "10.0.0.1", + "10.128.0.1" + ], + "rule.name": "vpn_trust_permit-all", + "server.ip": "10.128.0.1", + "server.nat.port": 10400, + "server.port": 10400, + "service.type": "junipersrx", + "source.ip": "10.0.0.1", + "source.nat.ip": "10.0.0.1", + "source.nat.port": 594, + "source.port": 594, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2019-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.icmp-type": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "Denied by policy", + "junipersrx.firewall.session-id-32": "7087", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 850, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "junipersrx", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:26:51.179-02:00", + "client.ip": "1.2.3.4", + "client.port": 56639, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.port": 2003, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.encrypted": "No ", + "junipersrx.firewall.icmp-type": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY", + "log.level": "informational", + "log.offset": 1513, + "network.iana_number": "6", + "observer.egress.zone": "mngmt", + "observer.ingress.interface.name": "reth6.0", + "observer.ingress.zone": "campus", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "log-all-else", + "server.ip": "5.6.7.8", + "server.port": 2003, + "service.type": "junipersrx", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 56639, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2014-05-01T06:28:10.933-02:00", + "client.bytes": 94, + "client.ip": "1.2.3.4", + "client.nat.port": 63456, + "client.packets": 1, + "client.port": 63456, + "destination.as.number": 6805, + "destination.as.organization.name": "Telefonica Germany", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "5.6.7.8", + "destination.nat.ip": "5.6.7.8", + "destination.nat.port": 902, + "destination.packets": 0, + "destination.port": 902, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 60000000000, + "event.end": "2014-05-01T06:29:10.933-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2014-05-01T06:28:10.933-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.encrypted": "No ", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "unset", + "junipersrx.firewall.session-id-32": "15353", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 1966, + "network.bytes": 94, + "network.iana_number": "17", + "network.packets": 1, + "observer.egress.zone": "intra", + "observer.ingress.interface.name": "reth3.5", + "observer.ingress.zone": "mngmt", + "observer.name": "fw01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "1.2.3.4", + "5.6.7.8", + "1.2.3.4", + "5.6.7.8" + ], + "rule.name": "mngmt-to-vcenter", + "server.bytes": 0, + "server.ip": "5.6.7.8", + "server.nat.port": 902, + "server.packets": 0, + "server.port": 902, + "service.type": "junipersrx", + "source.bytes": 94, + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.nat.ip": "1.2.3.4", + "source.nat.port": 63456, + "source.packets": 1, + "source.port": 63456, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "icmp", + "junipersrx.firewall.session-id-32": "100000165", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 2721, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "junipersrx", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:04.323-02:00", + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.port": 1, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.port": 46384, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "icmp", + "junipersrx.firewall.session-id-32": "41", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 3366, + "network.iana_number": "1", + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.port": 46384, + "service.type": "junipersrx", + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.port": 1, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2010-09-30T04:55:07.188-02:00", + "client.bytes": 84, + "client.ip": "192.0.2.1", + "client.nat.port": 1, + "client.packets": 1, + "client.port": 1, + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.51.100.12", + "destination.nat.ip": "18.51.100.12", + "destination.nat.port": 46384, + "destination.packets": 1, + "destination.port": 46384, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2010-09-30T04:55:07.188-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2010-09-30T04:55:07.188-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "response received", + "junipersrx.firewall.service-name": "icmp", + "junipersrx.firewall.session-id-32": "41", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 3933, + "network.bytes": 168, + "network.iana_number": "1", + "network.packets": 2, + "observer.egress.zone": "untrustZone", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "mrpp-srx550-dut01", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ], + "rule.name": "policy1", + "server.bytes": 84, + "server.ip": "198.51.100.12", + "server.nat.port": 46384, + "server.packets": 1, + "server.port": 46384, + "service.type": "junipersrx", + "source.bytes": 84, + "source.ip": "192.0.2.1", + "source.nat.ip": "192.0.2.1", + "source.nat.port": 1, + "source.packets": 1, + "source.port": 1, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2019-04-12T12:29:06.576-02:00", + "client.bytes": 337, + "client.ip": "10.3.255.203", + "client.nat.port": 19162, + "client.packets": 6, + "client.port": 47776, + "destination.as.number": 14627, + "destination.as.organization.name": "Vitalwerks Internet Solutions, LLC", + "destination.bytes": 535, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.23.224.110", + "destination.nat.ip": "8.23.224.110", + "destination.nat.port": 80, + "destination.packets": 4, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 1000000000, + "event.end": "2019-04-12T12:29:07.576-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", + "event.outcome": "success", + "event.risk_score": "4", + "event.severity": "14", + "event.start": "2019-04-12T12:29:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.application": "HTTP", + "junipersrx.firewall.application-category": "Web", + "junipersrx.firewall.application-characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.nat-connection-tag": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "TCP FIN", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "5", + "junipersrx.firewall.src-nat-rule-name": "nat1", + "junipersrx.firewall.src-nat-rule-type": "source rule", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 4637, + "network.bytes": 872, + "network.iana_number": "6", + "network.packets": 10, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/0.0", + "observer.ingress.zone": "trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.3.255.203", + "8.23.224.110", + "10.3.136.49", + "8.23.224.110" + ], + "rule.name": "permit_all", + "server.bytes": 535, + "server.ip": "8.23.224.110", + "server.nat.port": 80, + "server.packets": 4, + "server.port": 80, + "service.type": "junipersrx", + "source.bytes": 337, + "source.ip": "10.3.255.203", + "source.nat.ip": "10.3.136.49", + "source.nat.port": 19162, + "source.packets": 6, + "source.port": 47776, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2019-04-13T12:33:06.576-02:00", + "client.bytes": 4274, + "client.ip": "192.168.2.164", + "client.nat.port": 53232, + "client.packets": 13, + "client.port": 53232, + "destination.bytes": 1575, + "destination.ip": "172.16.1.19", + "destination.nat.ip": "172.16.1.19", + "destination.nat.port": 445, + "destination.packets": 9, + "destination.port": 445, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 16000000000, + "event.end": "2019-04-13T12:33:22.576-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2019-04-13T12:33:06.576-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "TCP RST", + "junipersrx.firewall.service-name": "junos-smb", + "junipersrx.firewall.session-id-32": "206", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 5739, + "network.bytes": 5849, + "network.iana_number": "6", + "network.packets": 22, + "observer.egress.zone": "Trust", + "observer.ingress.interface.name": "ge-0/0/2.0", + "observer.ingress.zone": "Trust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.2.164", + "172.16.1.19", + "192.168.2.164", + "172.16.1.19" + ], + "rule.name": "35", + "server.bytes": 1575, + "server.ip": "172.16.1.19", + "server.nat.port": 445, + "server.packets": 9, + "server.port": 445, + "service.type": "junipersrx", + "source.bytes": 4274, + "source.ip": "192.168.2.164", + "source.nat.ip": "192.168.2.164", + "source.nat.port": 53232, + "source.packets": 13, + "source.port": 53232, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-10-06T23:32:20.898-02:00", + "client.bytes": 72, + "client.ip": "100.73.10.92", + "client.nat.port": 11152, + "client.packets": 1, + "client.port": 52890, + "destination.as.number": 10201, + "destination.as.organization.name": "Dishnet Wireless Limited. Broadband Wireless", + "destination.bytes": 136, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "58.68.126.198", + "destination.nat.ip": "58.68.126.198", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 8000000000, + "event.end": "2018-10-06T23:32:28.898-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-10-06T23:32:20.898-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "idle Timeout", + "junipersrx.firewall.service-name": "junos-dns-udp", + "junipersrx.firewall.session-id-32": "220368889", + "junipersrx.firewall.src-nat-rule-name": "NAT_S", + "junipersrx.firewall.src-nat-rule-type": "source rule", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 6497, + "network.bytes": 208, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "Internet", + "observer.ingress.interface.name": "reth0.108", + "observer.ingress.zone": "Gi_nat", + "observer.name": "TestFW2", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "100.73.10.92", + "58.68.126.198", + "58.78.140.131", + "58.68.126.198" + ], + "rule.name": "NAT", + "server.bytes": 136, + "server.ip": "58.68.126.198", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "junipersrx", + "source.as.number": 3786, + "source.as.organization.name": "LG DACOM Corporation", + "source.bytes": 72, + "source.geo.city_name": "Seogwipo", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "KR", + "source.geo.location.lat": 33.2486, + "source.geo.location.lon": 126.5628, + "source.geo.region_iso_code": "KR-49", + "source.geo.region_name": "Jeju-do", + "source.ip": "100.73.10.92", + "source.nat.ip": "58.78.140.131", + "source.nat.port": 11152, + "source.packets": 1, + "source.port": 52890, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-06-30T00:17:22.753-02:00", + "client.bytes": 67, + "client.ip": "192.168.255.2", + "client.nat.port": 20215, + "client.packets": 1, + "client.port": 62047, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 116, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 3000000000, + "event.end": "2018-06-30T00:17:25.753-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2018-06-30T00:17:22.753-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "idle Timeout", + "junipersrx.firewall.service-name": "junos-dns-udp", + "junipersrx.firewall.session-id-32": "9621", + "junipersrx.firewall.src-nat-rule-name": "rule001", + "junipersrx.firewall.src-nat-rule-type": "source rule", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 7350, + "network.bytes": 183, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "fe-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "fw0001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.255.2", + "8.8.8.8", + "192.168.0.47", + "8.8.8.8" + ], + "rule.name": "trust-to-untrust-001", + "server.bytes": 116, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "junipersrx", + "source.bytes": 67, + "source.ip": "192.168.255.2", + "source.nat.ip": "192.168.0.47", + "source.nat.port": 20215, + "source.packets": 1, + "source.port": 62047, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2015-09-25T12:19:53.846-02:00", + "client.bytes": 0, + "client.ip": "10.164.110.223", + "client.nat.port": 58020, + "client.packets": 0, + "client.port": 9057, + "destination.bytes": 0, + "destination.ip": "10.104.12.161", + "destination.nat.ip": "10.12.70.1", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 1000000000, + "event.end": "2015-09-25T12:19:54.846-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2015-09-25T12:19:53.846-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.dst-nat-rule-name": "NAT-Policy10", + "junipersrx.firewall.encrypted": "No ", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "application failure or action", + "junipersrx.firewall.service-name": "junos-ftp", + "junipersrx.firewall.session-id-32": "24311", + "junipersrx.firewall.src-nat-rule-name": "SNAT-Policy5", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 8203, + "network.bytes": 0, + "network.iana_number": "6", + "network.packets": 0, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth0.0", + "observer.ingress.zone": "trust", + "observer.name": "VPNBox-A", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.164.110.223", + "10.104.12.161", + "10.9.1.150", + "10.12.70.1" + ], + "rule.name": "FW-FTP", + "server.bytes": 0, + "server.ip": "10.104.12.161", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "junipersrx", + "source.bytes": 0, + "source.ip": "10.164.110.223", + "source.nat.ip": "10.9.1.150", + "source.nat.port": 58020, + "source.packets": 0, + "source.port": 9057, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "junos-ftp", + "junipersrx.firewall.session-id-32": "5058", + "junipersrx.firewall.src-nat-rule-name": "1", + "junipersrx.firewall.tag": "APPTRACK_SESSION_CREATE", + "log.level": "informational", + "log.offset": 9012, + "network.iana_number": "6", + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.port": 21, + "service.type": "junipersrx", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.port": 3129, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 48, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 1, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 0, + "destination.port": 21, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2013-01-19T15:18:17.040-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "junos-ftp", + "junipersrx.firewall.session-id-32": "5058", + "junipersrx.firewall.src-nat-rule-name": "1", + "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 9631, + "network.bytes": 48, + "network.iana_number": "6", + "network.packets": 1, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 0, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 0, + "server.port": 21, + "service.type": "junipersrx", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 48, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 1, + "source.port": 3129, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:17.040-02:00", + "client.bytes": 144, + "client.ip": "192.168.224.30", + "client.nat.port": 14406, + "client.packets": 3, + "client.port": 3129, + "destination.as.number": 701, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 104, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "207.17.137.56", + "destination.nat.ip": "207.17.137.56", + "destination.nat.port": 21, + "destination.packets": 2, + "destination.port": 21, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 1000000000, + "event.end": "2013-01-19T15:18:18.040-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:17.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.application": "FTP", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "application failure or action", + "junipersrx.firewall.service-name": "junos-ftp", + "junipersrx.firewall.session-id-32": "5058", + "junipersrx.firewall.src-nat-rule-name": "1", + "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 10364, + "network.bytes": 248, + "network.iana_number": "6", + "network.packets": 5, + "observer.egress.zone": "Danger", + "observer.ingress.zone": "LAN", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ], + "rule.name": "General-Outbound", + "server.bytes": 104, + "server.ip": "207.17.137.56", + "server.nat.port": 21, + "server.packets": 2, + "server.port": 21, + "service.type": "junipersrx", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.bytes": 144, + "source.geo.city_name": "Plymouth", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 42.3695, + "source.geo.location.lon": -83.4769, + "source.geo.region_iso_code": "US-MI", + "source.geo.region_name": "Michigan", + "source.ip": "192.168.224.30", + "source.nat.ip": "173.167.224.7", + "source.nat.port": 14406, + "source.packets": 3, + "source.port": 3129, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:18.040-02:00", + "client.bytes": 19592, + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.packets": 371, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 686432, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 584, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 60000000000, + "event.end": "2013-01-19T15:19:18.040-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:18.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", + "junipersrx.firewall.application": "HTTP", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.nested-application": "FACEBOOK-SOCIALRSS", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.roles": "DEPT1", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "28", + "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 11130, + "network.bytes": 706024, + "network.iana_number": "6", + "network.packets": 955, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 686432, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 584, + "server.port": 80, + "service.type": "junipersrx", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 19592, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.packets": 371, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:19.040-02:00", + "client.ip": "4.0.0.1", + "client.nat.port": 33040, + "client.port": 33040, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", + "junipersrx.firewall.application": "HTTP", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.nested-application": "FACEBOOK-SOCIALRSS", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.profile-name": "\u201dpf1\u201d", + "junipersrx.firewall.roles": "DEPT1", + "junipersrx.firewall.routing-instance": "\u201dinstance1\u201d", + "junipersrx.firewall.rule-name": "\u201dfacebook1\u201d", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "28", + "junipersrx.firewall.tag": "APPTRACK_SESSION_ROUTE_UPDATE", + "log.level": "informational", + "log.offset": 11929, + "network.iana_number": "6", + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.port": 80, + "service.type": "junipersrx", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 33040, + "source.port": 33040, + "source.user.name": "user1", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2013-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 3000000000, + "event.end": "2013-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2013-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "TCP CLIENT RST", + "junipersrx.firewall.roles": "DEPT1", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "32", + "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 12689, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "junipersrx", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-11-04T14:23:09.264-02:00", + "client.ip": "50.0.0.100", + "client.nat.port": 24065, + "client.port": 24065, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "30.0.0.100", + "destination.nat.ip": "30.0.0.100", + "destination.nat.port": 768, + "destination.port": 768, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "icmp", + "junipersrx.firewall.session-id-32": "100000165", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE_LS", + "log.level": "informational", + "log.offset": 13489, + "network.iana_number": "1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "reth2.0", + "observer.ingress.zone": "untrust", + "observer.name": "cixi", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ], + "rule.name": "alg-policy", + "server.ip": "30.0.0.100", + "server.nat.port": 768, + "server.port": 768, + "service.type": "junipersrx", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "50.0.0.100", + "source.nat.ip": "50.0.0.100", + "source.nat.port": 24065, + "source.port": 24065, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-11-14T08:12:46.573-02:00", + "client.ip": "10.0.0.26", + "client.port": 37233, + "destination.ip": "10.128.0.1", + "destination.port": 161, + "event.action": "flow_deny", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.icmp-type": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "Denied by policy", + "junipersrx.firewall.session-id-32": "7087", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY_LS", + "log.level": "informational", + "log.offset": 14137, + "network.iana_number": "17", + "observer.egress.zone": "junos-host", + "observer.ingress.interface.name": ".local..0", + "observer.ingress.zone": "trust", + "observer.name": "SRX-GW1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.0.0.26", + "10.128.0.1" + ], + "rule.name": "MgmtAccess-trust-cleanup", + "server.ip": "10.128.0.1", + "server.port": 161, + "service.type": "junipersrx", + "source.ip": "10.0.0.26", + "source.port": 37233, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-01-19T15:18:20.040-02:00", + "client.bytes": 392, + "client.ip": "4.0.0.1", + "client.nat.port": 48873, + "client.packets": 5, + "client.port": 48873, + "destination.as.number": 29256, + "destination.as.organization.name": "Syrian Telecom", + "destination.bytes": 646, + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "SY", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 38.0, + "destination.ip": "5.0.0.1", + "destination.nat.ip": "5.0.0.1", + "destination.nat.port": 80, + "destination.packets": 3, + "destination.port": 80, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 3000000000, + "event.end": "2020-01-19T15:18:23.040-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-01-19T15:18:20.040-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "TCP CLIENT RST", + "junipersrx.firewall.roles": "DEPT1", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "32", + "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE_LS", + "log.level": "informational", + "log.offset": 14803, + "network.bytes": 1038, + "network.iana_number": "6", + "network.packets": 8, + "observer.egress.interface.name": "\u201dst0.0\u201d", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ], + "rule.name": "permit-all", + "server.bytes": 646, + "server.ip": "5.0.0.1", + "server.nat.port": 80, + "server.packets": 3, + "server.port": 80, + "service.type": "junipersrx", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 392, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.0.0.1", + "source.nat.ip": "4.0.0.1", + "source.nat.port": 48873, + "source.packets": 5, + "source.port": 48873, + "source.user.name": "user1", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-14T12:17:11.928-02:00", + "client.bytes": 2322, + "client.ip": "10.1.1.100", + "client.nat.port": 6018, + "client.packets": 42, + "client.port": 58943, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 2132, + "destination.geo.city_name": "Philippsburg", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 49.2317, + "destination.geo.location.lon": 8.4607, + "destination.geo.region_iso_code": "DE-BW", + "destination.geo.region_name": "Baden-W\u00fcrttemberg", + "destination.ip": "46.165.154.241", + "destination.nat.ip": "46.165.154.241", + "destination.nat.port": 80, + "destination.packets": 34, + "destination.port": 80, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 60000000000, + "event.end": "2020-07-14T12:18:11.928-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-14T12:17:11.928-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "junos-http", + "junipersrx.firewall.session-id-32": "16118", + "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", + "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "log.level": "informational", + "log.offset": 15606, + "network.bytes": 4454, + "network.iana_number": "6", + "network.packets": 76, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "46.165.154.241", + "172.19.34.100", + "46.165.154.241" + ], + "rule.name": "default-permit", + "server.bytes": 2132, + "server.ip": "46.165.154.241", + "server.nat.port": 80, + "server.packets": 34, + "server.port": 80, + "service.type": "junipersrx", + "source.bytes": 2322, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 6018, + "source.packets": 42, + "source.port": 58943, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:43:05.041-02:00", + "client.bytes": 9530, + "client.ip": "10.1.1.100", + "client.nat.port": 24519, + "client.packets": 161, + "client.port": 64720, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 9670, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.172", + "destination.nat.ip": "91.228.167.172", + "destination.nat.port": 8883, + "destination.packets": 96, + "destination.port": 8883, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 23755000000000, + "event.end": "2020-07-13T21:19:00.041-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.start": "2020-07-13T14:43:05.041-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.hostname": "NA NA", + "junipersrx.firewall.nat-connection-tag": "0", + "junipersrx.firewall.peer-destination-address": "0.0.0.0", + "junipersrx.firewall.peer-destination-port": "0", + "junipersrx.firewall.peer-session-id": "0", + "junipersrx.firewall.peer-source-address": "0.0.0.0", + "junipersrx.firewall.peer-source-port": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "idle Timeout", + "junipersrx.firewall.secure-web-proxy-session-type": "NA", + "junipersrx.firewall.session-id-32": "3851", + "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", + "junipersrx.firewall.src-nat-rule-type": "source rule", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "log.level": "informational", + "log.offset": 16469, + "network.bytes": 19200, + "network.iana_number": "6", + "network.packets": 257, + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "91.228.167.172", + "172.19.34.100", + "91.228.167.172" + ], + "rule.name": "default-permit", + "server.bytes": 9670, + "server.ip": "91.228.167.172", + "server.nat.port": 8883, + "server.packets": 96, + "server.port": 8883, + "service.type": "junipersrx", + "source.bytes": 9530, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 24519, + "source.packets": 161, + "source.port": 64720, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.ip": "10.1.1.100", + "client.nat.port": 30838, + "client.port": 49583, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.port": 53, + "event.action": "flow_started", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.risk_score": "1", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.connection-tag": "0", + "junipersrx.firewall.nat-connection-tag": "0", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.service-name": "junos-dns-udp", + "junipersrx.firewall.session-id-32": "15399", + "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", + "junipersrx.firewall.src-nat-rule-type": "source rule", + "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "log.level": "informational", + "log.offset": 17715, + "network.iana_number": "17", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.port": 53, + "service.type": "junipersrx", + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 30838, + "source.port": 49583, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-13T14:12:05.530-02:00", + "client.bytes": 66, + "client.ip": "10.1.1.100", + "client.nat.port": 26764, + "client.packets": 1, + "client.port": 63381, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.ip": "8.8.8.8", + "destination.nat.port": 53, + "destination.packets": 1, + "destination.port": 53, + "event.action": "flow_close", + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 3000000000, + "event.end": "2020-07-13T14:12:08.530-02:00", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.start": "2020-07-13T14:12:05.530-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.encrypted": "No", + "junipersrx.firewall.process": "RT_FLOW", + "junipersrx.firewall.reason": "Closed by junos-alg", + "junipersrx.firewall.routing-instance": "default", + "junipersrx.firewall.service-name": "junos-dns-udp", + "junipersrx.firewall.session-id-32": "15361", + "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", + "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", + "junipersrx.firewall.uplink-rx-bytes": "0", + "junipersrx.firewall.uplink-tx-bytes": "0", + "log.level": "informational", + "log.offset": 18627, + "network.bytes": 148, + "network.iana_number": "17", + "network.packets": 2, + "observer.egress.interface.name": "ge-0/0/0.0", + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX100HM", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ], + "rule.name": "default-permit", + "server.bytes": 82, + "server.ip": "8.8.8.8", + "server.nat.port": 53, + "server.packets": 1, + "server.port": 53, + "service.type": "junipersrx", + "source.bytes": 66, + "source.ip": "10.1.1.100", + "source.nat.ip": "172.19.34.100", + "source.nat.port": 26764, + "source.packets": 1, + "source.port": 63381, + "tags": [ + "junipersrx-firewall forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/test/idp.log b/filebeat/module/junipersrx/firewall/test/idp.log new file mode 100644 index 000000000000..513cc77cc4c7 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/idp.log @@ -0,0 +1,7 @@ +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="rethO.O" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="O" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="O" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.O" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="rethO.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="O" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="O" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/filebeat/module/junipersrx/firewall/test/idp.log-expected.json b/filebeat/module/junipersrx/firewall/test/idp.log-expected.json new file mode 100644 index 000000000000..d7abd7fbb8a4 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/idp.log-expected.json @@ -0,0 +1,487 @@ +[ + { + "@timestamp": "2020-03-02T21:13:03.193-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.193-02:00", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.193-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "DROP", + "junipersrx.firewall.alert": "no", + "junipersrx.firewall.application-name": "HTTP", + "junipersrx.firewall.attack-name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", + "junipersrx.firewall.epoch-time": "1583190783", + "junipersrx.firewall.export-id": "20175", + "junipersrx.firewall.index": "cnm", + "junipersrx.firewall.message-type": "SIG", + "junipersrx.firewall.packet-log-id": "0", + "junipersrx.firewall.policy-name": "Recommended", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "0", + "junipersrx.firewall.service-name": "SERVICE_IDP", + "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", + "junipersrx.firewall.threat-severity": "HIGH", + "junipersrx.firewall.type": "idp", + "log.level": "notification", + "log.offset": 0, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "junipersrx", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-03-02T21:13:03.197-02:00", + "client.bytes": 0, + "client.ip": "10.11.11.1", + "client.nat.port": 13312, + "client.port": 12345, + "destination.bytes": 0, + "destination.ip": "187.188.188.10", + "destination.nat.ip": "3.3.10.11", + "destination.nat.port": 9757, + "destination.packets": 0, + "destination.port": 123, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2020-03-02T21:13:03.197-02:00", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2020-03-02T21:13:03.197-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "DROP", + "junipersrx.firewall.alert": "no", + "junipersrx.firewall.application-name": "HTTP", + "junipersrx.firewall.attack-name": "TCP:C2S:AMBIG:C2S-SYN-DATA", + "junipersrx.firewall.epoch-time": "1583190783", + "junipersrx.firewall.export-id": "20175", + "junipersrx.firewall.index": "cnm", + "junipersrx.firewall.message-type": "SIG", + "junipersrx.firewall.packet-log-id": "0", + "junipersrx.firewall.policy-name": "Recommended", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "0", + "junipersrx.firewall.service-name": "SERVICE_IDP", + "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", + "junipersrx.firewall.threat-severity": "CRITICAL", + "junipersrx.firewall.type": "idp", + "log.level": "notification", + "log.offset": 929, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth2.21", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "reth1.24", + "observer.ingress.zone": "UNTRUST", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "3", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "187.188.188.10", + "server.nat.port": 9757, + "server.packets": 0, + "server.port": 123, + "service.type": "junipersrx", + "source.bytes": 0, + "source.ip": "10.11.11.1", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 13312, + "source.port": 12345, + "source.user.name": "unknown-user", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2007-02-15T07:17:15.719-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.111.1", + "destination.nat.ip": "172.19.13.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2007-02-15T07:17:15.719-02:00", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2007-02-15T07:17:15.719-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "DROP", + "junipersrx.firewall.alert": "no", + "junipersrx.firewall.application-name": "HTTP", + "junipersrx.firewall.attack-name": "TROJAN:ZMEU-BOT-SCAN", + "junipersrx.firewall.epoch-time": "1507845354", + "junipersrx.firewall.export-id": "15229", + "junipersrx.firewall.message-type": "SIG", + "junipersrx.firewall.packet-log-id": "0", + "junipersrx.firewall.policy-name": "Recommended", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "0", + "junipersrx.firewall.service-name": "SERVICE_IDP", + "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", + "junipersrx.firewall.threat-severity": "HIGH", + "log.level": "notification", + "log.offset": 1857, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.111.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "junipersrx", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.port": 45610, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2017-10-12T19:55:55.792-02:00", + "client.bytes": 0, + "client.ip": "183.78.180.27", + "client.nat.port": 0, + "client.port": 45610, + "destination.bytes": 0, + "destination.ip": "118.127.30.11", + "destination.nat.ip": "172.16.1.10", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "security_threat", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.duration": 0, + "event.end": "2017-10-12T19:55:55.792-02:00", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "event.outcome": "success", + "event.severity": "165", + "event.start": "2017-10-12T19:55:55.792-02:00", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "DROP", + "junipersrx.firewall.alert": "no", + "junipersrx.firewall.application-name": "HTTP", + "junipersrx.firewall.attack-name": "TROJAN:ZMEU-BOT-SCAN", + "junipersrx.firewall.epoch-time": "1507845354", + "junipersrx.firewall.export-id": "15229", + "junipersrx.firewall.message-type": "SIG", + "junipersrx.firewall.packet-log-id": "0", + "junipersrx.firewall.policy-name": "Recommended", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "0", + "junipersrx.firewall.service-name": "SERVICE_IDP", + "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", + "junipersrx.firewall.threat-severity": "HIGH", + "log.level": "notification", + "log.offset": 2773, + "network.protocol": "TCP", + "observer.egress.interface.name": "reth1.1", + "observer.egress.zone": "dst-sec-zone1-outside", + "observer.ingress.interface.name": "reth0.11", + "observer.ingress.zone": "sec-zone-name-internet", + "observer.name": "idp1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "9", + "rule.name": "IPS", + "server.bytes": 0, + "server.ip": "118.127.30.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "junipersrx", + "source.bytes": 0, + "source.ip": "183.78.180.27", + "source.nat.ip": "0.0.0.0", + "source.nat.port": 0, + "source.port": 45610, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2011-10-23T02:06:26.544-02:00", + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.ddos-application-name": "Webserver", + "junipersrx.firewall.epoch-time": "1319367986", + "junipersrx.firewall.policy-name": "A DoS-Webserver", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "0", + "junipersrx.firewall.service-name": "HTTP", + "junipersrx.firewall.tag": "IDP_APPDDOS_APP_STATE_EVENT", + "log.level": "notification", + "log.offset": 3693, + "message": "Connection rate exceeded limit 60", + "network.protocol": "TCP", + "observer.egress.interface.name": "reth0.0", + "observer.egress.zone": "untrust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "1", + "rule.name": "DDOS", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "junipersrx", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2011-10-23T16:28:31.696-02:00", + "client.ip": "192.168.14.214", + "client.port": 50825, + "destination.ip": "172.27.14.203", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.O\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "NONE", + "junipersrx.firewall.connection-hit-rate": "30", + "junipersrx.firewall.context-hit-rate": "123", + "junipersrx.firewall.context-name": "http-get-url", + "junipersrx.firewall.context-value-hit-rate": "O", + "junipersrx.firewall.ddos-application-name": "Webserver", + "junipersrx.firewall.epoch-time": "1319419711", + "junipersrx.firewall.policy-name": "AppDoS-Webserver", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "O", + "junipersrx.firewall.ruleebase-name": "DDOS", + "junipersrx.firewall.service-name": "HTTP", + "junipersrx.firewall.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", + "junipersrx.firewall.threat-severity": "INFO", + "junipersrx.firewall.time-count": "3", + "junipersrx.firewall.time-period": "60", + "junipersrx.firewall.time-scope": "PEER", + "log.level": "notification", + "log.offset": 4165, + "network.protocol": "TCP", + "observer.egress.interface.name": "rethO.O", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth1.O", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "1", + "server.ip": "172.27.14.203", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "192.168.14.214", + "source.port": 50825, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2012-10-23T17:28:31.696-02:00", + "client.ip": "193.168.14.214", + "client.port": 50825, + "destination.ip": "172.30.20.201", + "destination.port": 80, + "event.action": "application_ddos", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.O\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.outcome": "success", + "event.severity": "165", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "NONE", + "junipersrx.firewall.connection-hit-rate": "30", + "junipersrx.firewall.context-hit-rate": "123", + "junipersrx.firewall.context-name": "http-get-url", + "junipersrx.firewall.context-value-hit-rate": "O", + "junipersrx.firewall.ddos-application-name": "Webserver", + "junipersrx.firewall.epoch-time": "1419419711", + "junipersrx.firewall.policy-name": "AppDoS-Webserver", + "junipersrx.firewall.process": "RT_IDP", + "junipersrx.firewall.repeat-count": "O", + "junipersrx.firewall.ruleebase-name": "DDOS02", + "junipersrx.firewall.service-name": "HTTP", + "junipersrx.firewall.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "junipersrx.firewall.threat-severity": "INFO", + "junipersrx.firewall.time-count": "3", + "junipersrx.firewall.time-period": "60", + "junipersrx.firewall.time-scope": "PEER", + "log.level": "notification", + "log.offset": 4895, + "network.protocol": "TCP", + "observer.egress.interface.name": "rethO.1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "reth3.O", + "observer.ingress.zone": "trust", + "observer.name": "SRX34001", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "rule.id": "1", + "server.ip": "172.30.20.201", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "193.168.14.214", + "source.port": 50825, + "tags": [ + "junipersrx-firewall forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/test/ids.log b/filebeat/module/junipersrx/firewall/test/ids.log new file mode 100644 index 000000000000..5b87817da868 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/ids.log @@ -0,0 +1,12 @@ +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.113.17.17" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.1.1.2" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="111.1.1.3" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="111.1.1.3" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="111.1.1.3" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="12.12.12.1" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="111.1.1.3" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/filebeat/module/junipersrx/firewall/test/ids.log-expected.json b/filebeat/module/junipersrx/firewall/test/ids.log-expected.json new file mode 100644 index 000000000000..38e22134a940 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/ids.log-expected.json @@ -0,0 +1,627 @@ +[ + { + "@timestamp": "2018-07-19T21:17:02.309-02:00", + "client.ip": "113.113.17.17", + "client.port": 6000, + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.177.177.1", + "destination.port": 1433, + "event.action": "sweep_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "TCP sweep!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 0, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "40.177.177.1", + "server.port": 1433, + "service.type": "junipersrx", + "source.as.number": 4134, + "source.as.organization.name": "No.31,Jin-rong Street", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "113.113.17.17", + "source.port": 6000, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:18:02.309-02:00", + "client.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "client.port": 3240, + "destination.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "destination.port": 139, + "event.action": "attack_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "WinNuke attack!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 294, + "observer.ingress.interface.name": "fe-0/0/2.0", + "observer.ingress.zone": "untrust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "2001:0000:0000:0000:0000:0000:0000:0002", + "server.port": 139, + "service.type": "junipersrx", + "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", + "source.port": 3240, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:19:02.309-02:00", + "client.ip": "1.1.1.2", + "client.port": 40001, + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "destination.port": 50010, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "SYN flood!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 644, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "2.2.2.2", + "server.port": 50010, + "service.type": "junipersrx", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.2", + "source.port": 40001, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:22:02.309-02:00", + "client.ip": "111.1.1.3", + "client.port": 40001, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "destination.port": 53, + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "UDP flood!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_UDP", + "log.level": "error", + "log.offset": 930, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "3.4.2.2", + "server.port": 53, + "service.type": "junipersrx", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "source.port": 40001, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:25:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.action": "fragment_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "ICMP fragment!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_ICMP", + "log.level": "error", + "log.offset": 1215, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "3.4.2.2", + "service.type": "junipersrx", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:26:02.309-02:00", + "client.ip": "111.1.1.3", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "3.4.2.2", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "Record Route IP option!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1463, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "3.4.2.2", + "service.type": "junipersrx", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:27:02.309-02:00", + "client.ip": "1212::12", + "destination.ip": "1111::11", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "Tunnel GRE 6in6!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1734, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "1111::11", + "service.type": "junipersrx", + "source.ip": "1212::12", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T21:28:02.309-02:00", + "client.ip": "12.12.12.1", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "11.11.11.1", + "event.action": "tunneling_screen", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "Tunnel GRE 4in4!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_IP", + "log.level": "error", + "log.offset": 1998, + "network.iana_number": "1", + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "11.11.11.1", + "service.type": "junipersrx", + "source.as.number": 32328, + "source.as.organization.name": "Alascom, Inc.", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "12.12.12.1", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "alarm-without-drop", + "junipersrx.firewall.attack-name": "SYN flood!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP_DST_IP", + "log.level": "error", + "log.offset": 2266, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "2.2.2.2", + "service.type": "junipersrx", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2018-07-19T22:19:02.309-02:00", + "client.ip": "111.1.1.3", + "event.action": "flood_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "alarm-without-drop", + "junipersrx.firewall.attack-name": "SYN flood!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP_SRC_IP", + "log.level": "error", + "log.offset": 2503, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trustZone", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "service.type": "junipersrx", + "source.as.number": 56041, + "source.as.organization.name": "China Mobile communications corporation", + "source.geo.city_name": "Wenzhou", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 27.9983, + "source.geo.location.lon": 120.6666, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "111.1.1.3", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-17T05:54:43.912-02:00", + "client.ip": "10.1.1.100", + "client.port": 50630, + "destination.ip": "10.1.1.1", + "destination.port": 10778, + "event.action": "scan_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "TCP port scan!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 2737, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.1", + "server.port": 10778, + "service.type": "junipersrx", + "source.ip": "10.1.1.100", + "source.port": 50630, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2020-07-17T06:01:43.006-02:00", + "client.ip": "10.1.1.100", + "client.port": 42799, + "destination.ip": "10.1.1.1", + "destination.port": 7, + "event.action": "illegal_tcp_flag_detected", + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "event.outcome": "success", + "event.severity": "11", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.attack-name": "FIN but no ACK bit!", + "junipersrx.firewall.process": "RT_IDS", + "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "log.level": "error", + "log.offset": 3028, + "observer.ingress.interface.name": "ge-0/0/1.0", + "observer.ingress.zone": "trust", + "observer.name": "rtr199", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.1", + "server.port": 7, + "service.type": "junipersrx", + "source.ip": "10.1.1.100", + "source.port": 42799, + "tags": [ + "junipersrx-firewall forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/test/secintel.log b/filebeat/module/junipersrx/firewall/test/secintel.log new file mode 100644 index 000000000000..12f8f137c7f3 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/secintel.log @@ -0,0 +1,2 @@ +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="5.196.121.161" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/filebeat/module/junipersrx/firewall/test/secintel.log-expected.json b/filebeat/module/junipersrx/firewall/test/secintel.log-expected.json new file mode 100644 index 000000000000..11d39634a08b --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/secintel.log-expected.json @@ -0,0 +1,125 @@ +[ + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "5.196.121.161", + "client.port": 1, + "destination.ip": "10.10.0.10", + "destination.port": 24039, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "BLOCK", + "junipersrx.firewall.action-detail": "DROP", + "junipersrx.firewall.category": "secintel", + "junipersrx.firewall.feed-name": "Tor_Exit_Nodes", + "junipersrx.firewall.policy-name": "cc_policy", + "junipersrx.firewall.process": "RT_SECINTEL", + "junipersrx.firewall.profile-name": "Blacklist", + "junipersrx.firewall.session-id-32": "572564", + "junipersrx.firewall.sub-category": "Blacklist", + "junipersrx.firewall.tag": "SECINTEL_ACTION_LOG", + "junipersrx.firewall.threat-severity": "0", + "log.level": "informational", + "log.offset": 0, + "network.iana_number": "1", + "observer.egress.zone": "DMZ", + "observer.ingress.zone": "Outside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.10.0.10", + "server.port": 24039, + "service.type": "junipersrx", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 48.8582, + "source.geo.location.lon": 2.3387, + "source.ip": "5.196.121.161", + "source.port": 1, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2016-10-17T13:18:11.618-02:00", + "client.ip": "1.1.1.1", + "client.port": 36612, + "destination.ip": "10.0.0.1", + "destination.port": 80, + "event.action": "malware_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "BLOCK", + "junipersrx.firewall.action-detail": "CLOSE REDIRECT MSG", + "junipersrx.firewall.application": "HTTP", + "junipersrx.firewall.category": "secintel", + "junipersrx.firewall.feed-name": "cc_url_data", + "junipersrx.firewall.occur-count": "0", + "junipersrx.firewall.policy-name": "test", + "junipersrx.firewall.process": "RT_SECINTEL", + "junipersrx.firewall.profile-name": "test-profile", + "junipersrx.firewall.session-id-32": "502362", + "junipersrx.firewall.sub-category": "CC", + "junipersrx.firewall.tag": "SECINTEL_ACTION_LOG", + "junipersrx.firewall.threat-severity": "10", + "log.level": "informational", + "log.offset": 561, + "network.iana_number": "6", + "observer.egress.zone": "Outside", + "observer.ingress.zone": "Inside", + "observer.name": "SRX-1500", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.0.0.1", + "server.port": 80, + "service.type": "junipersrx", + "source.as.number": 13335, + "source.as.organization.name": "Cloudflare, Inc.", + "source.geo.continent_name": "Oceania", + "source.geo.country_iso_code": "AU", + "source.geo.location.lat": -33.494, + "source.geo.location.lon": 143.2104, + "source.ip": "1.1.1.1", + "source.port": 36612, + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "dummy_host" + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/firewall/test/utm.log b/filebeat/module/junipersrx/firewall/test/utm.log new file mode 100644 index 000000000000..61c320ae8859 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/utm.log @@ -0,0 +1,12 @@ +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="74.125.155.147" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/filebeat/module/junipersrx/firewall/test/utm.log-expected.json b/filebeat/module/junipersrx/firewall/test/utm.log-expected.json new file mode 100644 index 000000000000..a1419a76b423 --- /dev/null +++ b/filebeat/module/junipersrx/firewall/test/utm.log-expected.json @@ -0,0 +1,609 @@ +[ + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.category": "cat1", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile": "uf1", + "junipersrx.firewall.reason": "BY_BLACK_LIST", + "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 0, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2016-02-17T23:32:50.391-02:00", + "client.ip": "10.10.10.50", + "client.port": 1402, + "destination.as.number": 6461, + "destination.as.organization.name": "Zayo Bandwidth", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.200.241.66", + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile": "wf-profile", + "junipersrx.firewall.reason": "BY_OTHER", + "junipersrx.firewall.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "warning", + "log.offset": 319, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "216.200.241.66", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "10.10.10.50", + "source.port": 1402, + "source.user.name": "user02", + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "www.checkpoint.com", + "url.path": "/css/homepage2012.css" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.name": "EICAR-Test-File", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.tag": "AV_VIRUS_DETECTED_MT", + "junipersrx.firewall.temporary-filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 664, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "junipersrx", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2010-02-08T06:29:28.565-02:00", + "client.ip": "74.125.155.147", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 33578, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "www.google.com/", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.error-code": "14", + "junipersrx.firewall.error-message": "scan engine is not ready", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.tag": "AV_SCANNER_DROP_FILE_MT", + "log.level": "warning", + "log.offset": 1035, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.103", + "server.port": 33578, + "service.type": "junipersrx", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.155.147", + "source.port": 80, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2010-01-29T08:59:59.660-02:00", + "client.ip": "10.2.1.101", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 51727, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.tag": "AV_HUGE_FILE_DROPPED_MT", + "log.level": "warning", + "log.offset": 1323, + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.103", + "server.port": 51727, + "service.type": "junipersrx", + "source.ip": "10.2.1.101", + "source.port": 80, + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:33:50.391-02:00", + "client.ip": "10.10.10.1", + "event.action": "antispam_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile-name": "antispam01", + "junipersrx.firewall.reason": "Match local blacklist", + "junipersrx.firewall.tag": "ANTISPAM_SPAM_DETECTED_MT", + "log.level": "informational", + "log.offset": 1595, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "service.type": "junipersrx", + "source.ip": "10.10.10.1", + "source.user.name": "user01", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2016-02-17T23:34:50.391-02:00", + "client.ip": "192.0.2.3", + "client.port": 58071, + "destination.ip": "198.51.100.2", + "destination.port": 80, + "event.action": "content_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", + "event.outcome": "success", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "file.name": "test.cmd", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "drop", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile-name": "content02", + "junipersrx.firewall.reason": "blocked due to file extension block list", + "junipersrx.firewall.tag": "CONTENT_FILTERING_BLOCKED_MT", + "log.level": "informational", + "log.offset": 1892, + "network.protocol": "http", + "observer.egress.zone": "trust", + "observer.ingress.zone": "untrust", + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "198.51.100.2", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "192.0.2.3", + "source.port": 58071, + "source.user.name": "user01@testuser.com", + "tags": [ + "junipersrx-firewall forwarded" + ] + }, + { + "@timestamp": "2016-02-18T23:32:50.391-02:00", + "client.ip": "192.168.1.100", + "client.port": 58071, + "destination.as.number": 55967, + "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.location.lat": 22.25, + "destination.geo.location.lon": 114.1667, + "destination.ip": "103.235.46.39", + "destination.port": 80, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.category": "cat1", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile": "uf1", + "junipersrx.firewall.reason": "BY_BLACK_LIST", + "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED_LS", + "log.level": "warning", + "log.offset": 2317, + "observer.name": "utm-srx550-b", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "103.235.46.39", + "server.port": 80, + "service.type": "junipersrx", + "source.ip": "192.168.1.100", + "source.port": 58071, + "source.user.name": "user01", + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "www.baidu.com", + "url.path": "/" + }, + { + "@timestamp": "2011-02-08T06:29:28.565-02:00", + "client.ip": "188.40.238.250", + "client.port": 80, + "destination.ip": "10.1.1.103", + "destination.port": 47095, + "event.action": "virus_detected", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "file.name": "www.eicar.org/download/eicar.com", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.name": "EICAR-Test-File", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.tag": "AV_VIRUS_DETECTED_MT_LS", + "junipersrx.firewall.temporary-filename": "www.eicar.org/download/eicar.com", + "log.level": "warning", + "log.offset": 2639, + "observer.ingress.zone": "untrust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.103", + "server.port": 47095, + "service.type": "junipersrx", + "source.as.number": 24940, + "source.as.organization.name": "Hetzner Online GmbH", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "188.40.238.250", + "source.port": 80, + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "EICAR-Test-File" + }, + { + "@timestamp": "2020-07-14T12:16:18.345-02:00", + "client.ip": "10.1.1.100", + "client.port": 58974, + "destination.as.number": 13335, + "destination.as.organization.name": "Cloudflare, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "104.26.15.142", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", + "event.outcome": "success", + "event.risk_score": "0", + "event.severity": "14", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.category": "Enhanced_Information_Technology", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile": "WCF1", + "junipersrx.firewall.reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", + "junipersrx.firewall.session-id": "16297", + "junipersrx.firewall.tag": "WEBFILTER_URL_PERMITTED", + "log.level": "informational", + "log.offset": 3013, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "104.26.15.142", + "server.port": 443, + "service.type": "junipersrx", + "source.ip": "10.1.1.100", + "source.port": 58974, + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "datawrapper.dwcdn.net", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:16:29.541-02:00", + "client.ip": "10.1.1.100", + "client.port": 59075, + "destination.as.number": 24961, + "destination.as.organization.name": "myLoc managed IT AG", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "85.114.159.93", + "destination.port": 443, + "event.action": "web_filter", + "event.category": [ + "network", + "malware" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "alert", + "event.module": "junipersrx", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", + "event.outcome": "success", + "event.risk_score": "3", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "info", + "diened", + "connection" + ], + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.category": "Enhanced_Advertisements", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile": "WCF1", + "junipersrx.firewall.reason": "BY_SITE_REPUTATION_SUSPICIOUS", + "junipersrx.firewall.session-id": "16490", + "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED", + "log.level": "warning", + "log.offset": 3552, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "85.114.159.93", + "server.port": 443, + "service.type": "junipersrx", + "source.ip": "10.1.1.100", + "source.port": 59075, + "tags": [ + "junipersrx-firewall forwarded" + ], + "url.domain": "dsp.adfarm1.adition.com", + "url.path": "/" + }, + { + "@timestamp": "2020-07-14T12:17:04.733-02:00", + "client.ip": "23.209.86.45", + "client.port": 80, + "destination.ip": "10.1.1.100", + "destination.port": 58954, + "event.category": [ + "network" + ], + "event.dataset": "junipersrx.firewall", + "event.kind": "event", + "event.module": "junipersrx", + "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", + "event.outcome": "success", + "event.severity": "12", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar", + "fileset.name": "firewall", + "input.type": "log", + "junipersrx.firewall.action": "BLOCKED", + "junipersrx.firewall.error-code": "7", + "junipersrx.firewall.process": "RT_UTM", + "junipersrx.firewall.profile-name": "Custom-Sophos-Profile", + "junipersrx.firewall.reason": "exceeding maximum content size", + "junipersrx.firewall.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT", + "log.level": "warning", + "log.offset": 4078, + "observer.egress.zone": "untrust", + "observer.ingress.zone": "trust", + "observer.name": "SRX650-1", + "observer.product": "SRX", + "observer.type": "firewall", + "observer.vendor": "Juniper", + "server.ip": "10.1.1.100", + "server.port": 58954, + "service.type": "junipersrx", + "source.as.number": 16625, + "source.as.organization.name": "Akamai Technologies, Inc.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "23.209.86.45", + "source.port": 80, + "tags": [ + "junipersrx-firewall forwarded" + ] + } +] \ No newline at end of file diff --git a/filebeat/module/junipersrx/module.yml b/filebeat/module/junipersrx/module.yml new file mode 100644 index 000000000000..73b314ff7c70 --- /dev/null +++ b/filebeat/module/junipersrx/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/filebeat/modules.d/junipersrx.yml.disabled b/filebeat/modules.d/junipersrx.yml.disabled new file mode 100644 index 000000000000..559eb049ece3 --- /dev/null +++ b/filebeat/modules.d/junipersrx.yml.disabled @@ -0,0 +1,16 @@ +# Module: junipersrx +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-junipersrx.html + +- module: junipersrx + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 9797291bdf4d..41c2bf6dc479 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1050,6 +1050,21 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#------------------------------ Junipersrx Module ------------------------------ +- module: junipersrx + firewall: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 + #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs From 1552e9e04019eb762d070afcfaeced8d18cb21a9 Mon Sep 17 00:00:00 2001 From: P1llus Date: Wed, 19 Aug 2020 11:14:54 +0200 Subject: [PATCH 02/14] stashing changes for later --- filebeat/docs/fields.asciidoc | 252 +++++++++--------- filebeat/docs/modules/juniper.asciidoc | 120 ++++++++- filebeat/docs/modules_list.asciidoc | 2 - filebeat/filebeat.reference.yml | 15 -- filebeat/include/list.go | 1 - filebeat/module/junipersrx/_meta/config.yml | 13 - .../module/junipersrx/_meta/docs.asciidoc | 128 --------- filebeat/module/junipersrx/_meta/fields.yml | 9 - filebeat/module/junipersrx/fields.go | 36 --- filebeat/module/junipersrx/module.yml | 1 - filebeat/modules.d/junipersrx.yml.disabled | 16 -- x-pack/filebeat/filebeat.reference.yml | 8 +- .../filebeat/module/juniper/_meta/config.yml | 15 ++ .../module/juniper/_meta/docs.asciidoc | 120 ++++++++- x-pack/filebeat/module/juniper/fields.go | 2 +- .../module/juniper/srx}/_meta/fields.yml | 13 +- .../module/juniper/srx/config/srx.yml | 1 - .../module/juniper/srx}/ingest/atp.yml | 102 +++---- .../module/juniper/srx}/ingest/flow.yml | 106 ++++---- .../module/juniper/srx}/ingest/idp.yml | 104 ++++---- .../module/juniper/srx}/ingest/ids.yml | 108 ++++---- .../module/juniper/srx}/ingest/pipeline.yml | 72 ++--- .../module/juniper/srx}/ingest/secintel.yml | 104 ++++---- .../module/juniper/srx}/ingest/utm.yml | 122 ++++----- .../filebeat/module/juniper/srx}/manifest.yml | 4 +- .../filebeat/module/juniper/srx}/test/atp.log | 0 .../juniper/srx}/test/atp.log-expected.json | 0 .../module/juniper/srx}/test/flow.log | 0 .../juniper/srx}/test/flow.log-expected.json | 0 .../filebeat/module/juniper/srx}/test/idp.log | 0 .../juniper/srx}/test/idp.log-expected.json | 0 .../filebeat/module/juniper/srx}/test/ids.log | 0 .../juniper/srx}/test/ids.log-expected.json | 0 .../module/juniper/srx}/test/secintel.log | 0 .../srx}/test/secintel.log-expected.json | 0 .../filebeat/module/juniper/srx}/test/utm.log | 0 .../juniper/srx}/test/utm.log-expected.json | 0 .../filebeat/modules.d/juniper.yml.disabled | 15 ++ 38 files changed, 756 insertions(+), 733 deletions(-) delete mode 100644 filebeat/module/junipersrx/_meta/config.yml delete mode 100644 filebeat/module/junipersrx/_meta/docs.asciidoc delete mode 100644 filebeat/module/junipersrx/_meta/fields.yml delete mode 100644 filebeat/module/junipersrx/fields.go delete mode 100644 filebeat/module/junipersrx/module.yml delete mode 100644 filebeat/modules.d/junipersrx.yml.disabled rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/_meta/fields.yml (99%) rename filebeat/module/junipersrx/firewall/config/firewall.yml => x-pack/filebeat/module/juniper/srx/config/srx.yml (99%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/atp.yml (71%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/flow.yml (70%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/idp.yml (70%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/ids.yml (74%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/pipeline.yml (77%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/secintel.yml (70%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/ingest/utm.yml (74%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/manifest.yml (83%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/atp.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/atp.log-expected.json (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/flow.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/flow.log-expected.json (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/idp.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/idp.log-expected.json (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/ids.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/ids.log-expected.json (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/secintel.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/secintel.log-expected.json (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/utm.log (100%) rename {filebeat/module/junipersrx/firewall => x-pack/filebeat/module/juniper/srx}/test/utm.log-expected.json (100%) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d8a9851ffeae..923c030fec49 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -49,7 +49,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -88081,27 +88080,14 @@ type: keyword -- -[[exported-fields-junipersrx]] -== junipersrx fields - -junipersrx Module - - - -[float] -=== junipersrx - - - - [float] -=== firewall +=== srx Module for parsing junipersrx syslog. -*`junipersrx.firewall.reason`*:: +*`srx.reason`*:: + -- reason @@ -88111,7 +88097,7 @@ type: keyword -- -*`junipersrx.firewall.source-address`*:: +*`srx.source-address`*:: + -- source address @@ -88121,7 +88107,7 @@ type: ip -- -*`junipersrx.firewall.source-port`*:: +*`srx.source-port`*:: + -- source port @@ -88131,7 +88117,7 @@ type: integer -- -*`junipersrx.firewall.destination-address`*:: +*`srx.destination-address`*:: + -- destination address @@ -88141,7 +88127,7 @@ type: ip -- -*`junipersrx.firewall.destination-port`*:: +*`srx.destination-port`*:: + -- destination port @@ -88151,7 +88137,7 @@ type: integer -- -*`junipersrx.firewall.connection-tag`*:: +*`srx.connection-tag`*:: + -- connection tag @@ -88161,7 +88147,7 @@ type: keyword -- -*`junipersrx.firewall.service-name`*:: +*`srx.service-name`*:: + -- service name @@ -88171,7 +88157,7 @@ type: keyword -- -*`junipersrx.firewall.nat-source-address`*:: +*`srx.nat-source-address`*:: + -- nat source address @@ -88181,7 +88167,7 @@ type: ip -- -*`junipersrx.firewall.nat-source-port`*:: +*`srx.nat-source-port`*:: + -- nat source port @@ -88191,7 +88177,7 @@ type: integer -- -*`junipersrx.firewall.nat-destination-address`*:: +*`srx.nat-destination-address`*:: + -- nat destination address @@ -88201,7 +88187,7 @@ type: ip -- -*`junipersrx.firewall.nat-destination-port`*:: +*`srx.nat-destination-port`*:: + -- nat destination port @@ -88211,7 +88197,7 @@ type: integer -- -*`junipersrx.firewall.nat-connection-tag`*:: +*`srx.nat-connection-tag`*:: + -- nat connection tag @@ -88221,7 +88207,7 @@ type: keyword -- -*`junipersrx.firewall.src-nat-rule-type`*:: +*`srx.src-nat-rule-type`*:: + -- src nat rule type @@ -88231,7 +88217,7 @@ type: keyword -- -*`junipersrx.firewall.src-nat-rule-name`*:: +*`srx.src-nat-rule-name`*:: + -- src nat rule name @@ -88241,7 +88227,7 @@ type: keyword -- -*`junipersrx.firewall.dst-nat-rule-type`*:: +*`srx.dst-nat-rule-type`*:: + -- dst nat rule type @@ -88251,7 +88237,7 @@ type: keyword -- -*`junipersrx.firewall.dst-nat-rule-name`*:: +*`srx.dst-nat-rule-name`*:: + -- dst nat rule name @@ -88261,7 +88247,7 @@ type: keyword -- -*`junipersrx.firewall.protocol-id`*:: +*`srx.protocol-id`*:: + -- protocol id @@ -88271,7 +88257,7 @@ type: keyword -- -*`junipersrx.firewall.policy-name`*:: +*`srx.policy-name`*:: + -- policy name @@ -88281,7 +88267,7 @@ type: keyword -- -*`junipersrx.firewall.source-zone-name`*:: +*`srx.source-zone-name`*:: + -- source zone name @@ -88291,7 +88277,7 @@ type: keyword -- -*`junipersrx.firewall.source-zone`*:: +*`srx.source-zone`*:: + -- source zone @@ -88301,7 +88287,7 @@ type: keyword -- -*`junipersrx.firewall.destination-zone-name`*:: +*`srx.destination-zone-name`*:: + -- destination zone name @@ -88311,7 +88297,7 @@ type: keyword -- -*`junipersrx.firewall.destination-zone`*:: +*`srx.destination-zone`*:: + -- destination zone @@ -88321,7 +88307,7 @@ type: keyword -- -*`junipersrx.firewall.session-id-32`*:: +*`srx.session-id-32`*:: + -- session id 32 @@ -88331,7 +88317,7 @@ type: keyword -- -*`junipersrx.firewall.session-id`*:: +*`srx.session-id`*:: + -- session id @@ -88341,7 +88327,7 @@ type: keyword -- -*`junipersrx.firewall.packets-from-client`*:: +*`srx.packets-from-client`*:: + -- packets from client @@ -88351,7 +88337,7 @@ type: integer -- -*`junipersrx.firewall.outbound-packets`*:: +*`srx.outbound-packets`*:: + -- packets from client @@ -88361,7 +88347,7 @@ type: integer -- -*`junipersrx.firewall.bytes-from-client`*:: +*`srx.bytes-from-client`*:: + -- bytes from client @@ -88371,7 +88357,7 @@ type: integer -- -*`junipersrx.firewall.outbound-bytes`*:: +*`srx.outbound-bytes`*:: + -- bytes from client @@ -88381,7 +88367,7 @@ type: integer -- -*`junipersrx.firewall.packets-from-server`*:: +*`srx.packets-from-server`*:: + -- packets from server @@ -88391,7 +88377,7 @@ type: integer -- -*`junipersrx.firewall.inbound-packets`*:: +*`srx.inbound-packets`*:: + -- packets from server @@ -88401,7 +88387,7 @@ type: integer -- -*`junipersrx.firewall.bytes-from-server`*:: +*`srx.bytes-from-server`*:: + -- bytes from server @@ -88411,7 +88397,7 @@ type: integer -- -*`junipersrx.firewall.inbound-bytes`*:: +*`srx.inbound-bytes`*:: + -- bytes from server @@ -88421,7 +88407,7 @@ type: integer -- -*`junipersrx.firewall.elapsed-time`*:: +*`srx.elapsed-time`*:: + -- elapsed time @@ -88431,7 +88417,7 @@ type: date -- -*`junipersrx.firewall.application`*:: +*`srx.application`*:: + -- application @@ -88441,7 +88427,7 @@ type: keyword -- -*`junipersrx.firewall.nested-application`*:: +*`srx.nested-application`*:: + -- nested application @@ -88451,7 +88437,7 @@ type: keyword -- -*`junipersrx.firewall.username`*:: +*`srx.username`*:: + -- username @@ -88461,7 +88447,7 @@ type: keyword -- -*`junipersrx.firewall.roles`*:: +*`srx.roles`*:: + -- roles @@ -88471,7 +88457,7 @@ type: keyword -- -*`junipersrx.firewall.packet-incoming-interface`*:: +*`srx.packet-incoming-interface`*:: + -- packet incoming interface @@ -88481,7 +88467,7 @@ type: keyword -- -*`junipersrx.firewall.encrypted`*:: +*`srx.encrypted`*:: + -- encrypted @@ -88491,7 +88477,7 @@ type: keyword -- -*`junipersrx.firewall.application-category`*:: +*`srx.application-category`*:: + -- application category @@ -88501,7 +88487,7 @@ type: keyword -- -*`junipersrx.firewall.application-sub-category`*:: +*`srx.application-sub-category`*:: + -- application sub category @@ -88511,7 +88497,7 @@ type: keyword -- -*`junipersrx.firewall.application-risk`*:: +*`srx.application-risk`*:: + -- application risk @@ -88521,7 +88507,7 @@ type: integer -- -*`junipersrx.firewall.urlcategory-risk`*:: +*`srx.urlcategory-risk`*:: + -- urlcategory risk @@ -88531,7 +88517,7 @@ type: integer -- -*`junipersrx.firewall.application-characteristics`*:: +*`srx.application-characteristics`*:: + -- application characteristics @@ -88541,7 +88527,7 @@ type: keyword -- -*`junipersrx.firewall.secure-web-proxy-session-type`*:: +*`srx.secure-web-proxy-session-type`*:: + -- secure web proxy session type @@ -88551,7 +88537,7 @@ type: keyword -- -*`junipersrx.firewall.peer-session-id`*:: +*`srx.peer-session-id`*:: + -- peer session id @@ -88561,7 +88547,7 @@ type: keyword -- -*`junipersrx.firewall.peer-source-address`*:: +*`srx.peer-source-address`*:: + -- peer source address @@ -88571,7 +88557,7 @@ type: ip -- -*`junipersrx.firewall.peer-source-port`*:: +*`srx.peer-source-port`*:: + -- peer source port @@ -88581,7 +88567,7 @@ type: integer -- -*`junipersrx.firewall.peer-destination-address`*:: +*`srx.peer-destination-address`*:: + -- peer destination address @@ -88591,7 +88577,7 @@ type: ip -- -*`junipersrx.firewall.peer-destination-port`*:: +*`srx.peer-destination-port`*:: + -- peer destination port @@ -88601,7 +88587,7 @@ type: integer -- -*`junipersrx.firewall.hostname`*:: +*`srx.hostname`*:: + -- hostname @@ -88611,7 +88597,7 @@ type: keyword -- -*`junipersrx.firewall.src-vrf-grp`*:: +*`srx.src-vrf-grp`*:: + -- src-vrf-grp @@ -88621,7 +88607,7 @@ type: keyword -- -*`junipersrx.firewall.dst-vrf-grp`*:: +*`srx.dst-vrf-grp`*:: + -- dst-vrf-grp @@ -88631,7 +88617,7 @@ type: keyword -- -*`junipersrx.firewall.icmp-type`*:: +*`srx.icmp-type`*:: + -- icmp type @@ -88641,7 +88627,7 @@ type: integer -- -*`junipersrx.firewall.process`*:: +*`srx.process`*:: + -- process that generated the message @@ -88651,7 +88637,7 @@ type: keyword -- -*`junipersrx.firewall.apbr-rule-type`*:: +*`srx.apbr-rule-type`*:: + -- apbr rule type @@ -88661,7 +88647,7 @@ type: keyword -- -*`junipersrx.firewall.dscp-value`*:: +*`srx.dscp-value`*:: + -- apbr rule type @@ -88671,7 +88657,7 @@ type: integer -- -*`junipersrx.firewall.logical-system-name`*:: +*`srx.logical-system-name`*:: + -- logical system name @@ -88681,7 +88667,7 @@ type: keyword -- -*`junipersrx.firewall.destination-interface-name`*:: +*`srx.destination-interface-name`*:: + -- destination interface name @@ -88691,7 +88677,7 @@ type: keyword -- -*`junipersrx.firewall.profile-name`*:: +*`srx.profile-name`*:: + -- profile name @@ -88701,7 +88687,7 @@ type: keyword -- -*`junipersrx.firewall.routing-instance`*:: +*`srx.routing-instance`*:: + -- routing instance @@ -88711,7 +88697,7 @@ type: keyword -- -*`junipersrx.firewall.rule-name`*:: +*`srx.rule-name`*:: + -- rule name @@ -88721,7 +88707,7 @@ type: keyword -- -*`junipersrx.firewall.uplink-tx-bytes`*:: +*`srx.uplink-tx-bytes`*:: + -- uplink tx bytes @@ -88731,7 +88717,7 @@ type: integer -- -*`junipersrx.firewall.uplink-rx-bytes`*:: +*`srx.uplink-rx-bytes`*:: + -- uplink rx bytes @@ -88741,7 +88727,7 @@ type: integer -- -*`junipersrx.firewall.obj`*:: +*`srx.obj`*:: + -- url path @@ -88751,7 +88737,7 @@ type: keyword -- -*`junipersrx.firewall.url`*:: +*`srx.url`*:: + -- url domain @@ -88761,7 +88747,7 @@ type: keyword -- -*`junipersrx.firewall.profile`*:: +*`srx.profile`*:: + -- filter profile @@ -88771,7 +88757,7 @@ type: keyword -- -*`junipersrx.firewall.category`*:: +*`srx.category`*:: + -- filter category @@ -88781,7 +88767,7 @@ type: keyword -- -*`junipersrx.firewall.filename`*:: +*`srx.filename`*:: + -- filename @@ -88791,7 +88777,7 @@ type: keyword -- -*`junipersrx.firewall.temporary-filename`*:: +*`srx.temporary-filename`*:: + -- temporary-filename @@ -88801,7 +88787,7 @@ type: keyword -- -*`junipersrx.firewall.name`*:: +*`srx.name`*:: + -- name @@ -88811,7 +88797,7 @@ type: keyword -- -*`junipersrx.firewall.error-message`*:: +*`srx.error-message`*:: + -- error-message @@ -88821,7 +88807,7 @@ type: keyword -- -*`junipersrx.firewall.error-code`*:: +*`srx.error-code`*:: + -- error-code @@ -88831,7 +88817,7 @@ type: keyword -- -*`junipersrx.firewall.action`*:: +*`srx.action`*:: + -- action @@ -88841,7 +88827,7 @@ type: keyword -- -*`junipersrx.firewall.protocol`*:: +*`srx.protocol`*:: + -- protocol @@ -88851,7 +88837,7 @@ type: keyword -- -*`junipersrx.firewall.protocol-name`*:: +*`srx.protocol-name`*:: + -- protocol name @@ -88861,7 +88847,7 @@ type: keyword -- -*`junipersrx.firewall.type`*:: +*`srx.type`*:: + -- type @@ -88871,7 +88857,7 @@ type: keyword -- -*`junipersrx.firewall.repeat-count`*:: +*`srx.repeat-count`*:: + -- repeat count @@ -88881,7 +88867,7 @@ type: integer -- -*`junipersrx.firewall.alert`*:: +*`srx.alert`*:: + -- repeat alert @@ -88891,7 +88877,7 @@ type: keyword -- -*`junipersrx.firewall.message-type`*:: +*`srx.message-type`*:: + -- message type @@ -88901,7 +88887,7 @@ type: keyword -- -*`junipersrx.firewall.threat-severity`*:: +*`srx.threat-severity`*:: + -- threat severity @@ -88911,7 +88897,7 @@ type: keyword -- -*`junipersrx.firewall.application-name`*:: +*`srx.application-name`*:: + -- application name @@ -88921,7 +88907,7 @@ type: keyword -- -*`junipersrx.firewall.attack-name`*:: +*`srx.attack-name`*:: + -- attack name @@ -88931,7 +88917,7 @@ type: keyword -- -*`junipersrx.firewall.index`*:: +*`srx.index`*:: + -- index @@ -88941,7 +88927,7 @@ type: keyword -- -*`junipersrx.firewall.message`*:: +*`srx.message`*:: + -- mesagge @@ -88951,7 +88937,7 @@ type: keyword -- -*`junipersrx.firewall.epoch-time`*:: +*`srx.epoch-time`*:: + -- epoch time @@ -88961,7 +88947,7 @@ type: date -- -*`junipersrx.firewall.packet-log-id`*:: +*`srx.packet-log-id`*:: + -- packet log id @@ -88971,7 +88957,7 @@ type: integer -- -*`junipersrx.firewall.export-id`*:: +*`srx.export-id`*:: + -- packet log id @@ -88981,7 +88967,7 @@ type: integer -- -*`junipersrx.firewall.ddos-application-name`*:: +*`srx.ddos-application-name`*:: + -- ddos application name @@ -88991,7 +88977,7 @@ type: keyword -- -*`junipersrx.firewall.connection-hit-rate`*:: +*`srx.connection-hit-rate`*:: + -- connection hit rate @@ -89001,7 +88987,7 @@ type: integer -- -*`junipersrx.firewall.time-scope`*:: +*`srx.time-scope`*:: + -- time scope @@ -89011,7 +88997,7 @@ type: keyword -- -*`junipersrx.firewall.context-hit-rate`*:: +*`srx.context-hit-rate`*:: + -- context hit rate @@ -89021,7 +89007,7 @@ type: integer -- -*`junipersrx.firewall.context-value-hit-rate`*:: +*`srx.context-value-hit-rate`*:: + -- context value hit rate @@ -89031,7 +89017,7 @@ type: integer -- -*`junipersrx.firewall.time-count`*:: +*`srx.time-count`*:: + -- time count @@ -89041,7 +89027,7 @@ type: integer -- -*`junipersrx.firewall.time-period`*:: +*`srx.time-period`*:: + -- time period @@ -89051,7 +89037,7 @@ type: integer -- -*`junipersrx.firewall.context-value`*:: +*`srx.context-value`*:: + -- context value @@ -89061,7 +89047,7 @@ type: keyword -- -*`junipersrx.firewall.context-name`*:: +*`srx.context-name`*:: + -- context name @@ -89071,7 +89057,7 @@ type: keyword -- -*`junipersrx.firewall.ruleebase-name`*:: +*`srx.ruleebase-name`*:: + -- ruleebase name @@ -89081,7 +89067,7 @@ type: keyword -- -*`junipersrx.firewall.interface-name`*:: +*`srx.interface-name`*:: + -- interface name @@ -89091,7 +89077,7 @@ type: keyword -- -*`junipersrx.firewall.verdict-source`*:: +*`srx.verdict-source`*:: + -- verdict source @@ -89101,7 +89087,7 @@ type: keyword -- -*`junipersrx.firewall.verdict-number`*:: +*`srx.verdict-number`*:: + -- verdict number @@ -89111,7 +89097,7 @@ type: integer -- -*`junipersrx.firewall.http-host`*:: +*`srx.http-host`*:: + -- http host @@ -89121,7 +89107,7 @@ type: keyword -- -*`junipersrx.firewall.file-category`*:: +*`srx.file-category`*:: + -- file category @@ -89131,7 +89117,7 @@ type: keyword -- -*`junipersrx.firewall.sample-sha256`*:: +*`srx.sample-sha256`*:: + -- sample sha256 @@ -89141,7 +89127,7 @@ type: keyword -- -*`junipersrx.firewall.malware-info`*:: +*`srx.malware-info`*:: + -- malware info @@ -89151,7 +89137,7 @@ type: keyword -- -*`junipersrx.firewall.client-ip`*:: +*`srx.client-ip`*:: + -- client ip @@ -89161,7 +89147,7 @@ type: ip -- -*`junipersrx.firewall.tenant-id`*:: +*`srx.tenant-id`*:: + -- tenant id @@ -89171,7 +89157,7 @@ type: keyword -- -*`junipersrx.firewall.timestamp`*:: +*`srx.timestamp`*:: + -- timestamp @@ -89181,7 +89167,7 @@ type: date -- -*`junipersrx.firewall.th`*:: +*`srx.th`*:: + -- th @@ -89191,7 +89177,7 @@ type: keyword -- -*`junipersrx.firewall.status`*:: +*`srx.status`*:: + -- status @@ -89201,7 +89187,7 @@ type: keyword -- -*`junipersrx.firewall.state`*:: +*`srx.state`*:: + -- state @@ -89211,7 +89197,7 @@ type: keyword -- -*`junipersrx.firewall.file-hash-lookup`*:: +*`srx.file-hash-lookup`*:: + -- file hash lookup @@ -89221,7 +89207,7 @@ type: keyword -- -*`junipersrx.firewall.file-name`*:: +*`srx.file-name`*:: + -- file name @@ -89231,7 +89217,7 @@ type: keyword -- -*`junipersrx.firewall.action-detail`*:: +*`srx.action-detail`*:: + -- action detail @@ -89241,7 +89227,7 @@ type: keyword -- -*`junipersrx.firewall.sub-category`*:: +*`srx.sub-category`*:: + -- sub category @@ -89251,7 +89237,7 @@ type: keyword -- -*`junipersrx.firewall.feed-name`*:: +*`srx.feed-name`*:: + -- feed name @@ -89261,7 +89247,7 @@ type: keyword -- -*`junipersrx.firewall.occur-count`*:: +*`srx.occur-count`*:: + -- occur count @@ -89271,7 +89257,7 @@ type: integer -- -*`junipersrx.firewall.tag`*:: +*`srx.tag`*:: + -- system log message tag, which uniquely identifies the message. diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index 047e847bc5a1..7b06af301feb 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -10,18 +10,130 @@ This file is generated! See scripts/docs_collector.py == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 68811e1db05e..cd466617a94c 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -32,7 +32,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -101,7 +100,6 @@ include::modules/imperva.asciidoc[] include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] include::modules/juniper.asciidoc[] -include::modules/junipersrx.asciidoc[] include::modules/kafka.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e41c52315fae..bf29e0715ed0 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -187,21 +187,6 @@ filebeat.modules: # can be added under this section. #input: -#------------------------------ Junipersrx Module ------------------------------ -- module: junipersrx - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9006. - #var.syslog_port: 9006 - #-------------------------------- Kafka Module -------------------------------- - module: kafka # All logs diff --git a/filebeat/include/list.go b/filebeat/include/list.go index 1e115fe6cdd8..519d0e715819 100644 --- a/filebeat/include/list.go +++ b/filebeat/include/list.go @@ -37,7 +37,6 @@ import ( _ "github.com/elastic/beats/v7/filebeat/module/haproxy" _ "github.com/elastic/beats/v7/filebeat/module/icinga" _ "github.com/elastic/beats/v7/filebeat/module/iis" - _ "github.com/elastic/beats/v7/filebeat/module/junipersrx" _ "github.com/elastic/beats/v7/filebeat/module/kafka" _ "github.com/elastic/beats/v7/filebeat/module/kibana" _ "github.com/elastic/beats/v7/filebeat/module/logstash" diff --git a/filebeat/module/junipersrx/_meta/config.yml b/filebeat/module/junipersrx/_meta/config.yml deleted file mode 100644 index 8272e20dbfd7..000000000000 --- a/filebeat/module/junipersrx/_meta/config.yml +++ /dev/null @@ -1,13 +0,0 @@ -- module: junipersrx - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9006. - #var.syslog_port: 9006 diff --git a/filebeat/module/junipersrx/_meta/docs.asciidoc b/filebeat/module/junipersrx/_meta/docs.asciidoc deleted file mode 100644 index 02a06270ef04..000000000000 --- a/filebeat/module/junipersrx/_meta/docs.asciidoc +++ /dev/null @@ -1,128 +0,0 @@ -[role="xpack"] - -:modulename: junipersrx -:has-dashboards: false - -== Juniper-SRX module - -This is a module for Juniper-SRX OS logs sent in the syslog format. - -The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] - -To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. - -The following processes and tags are supported: - -[options="header"] -|============================================================== -| JunOS processes | JunOS tags | -| RT_FLOW | RT_FLOW_SESSION_CREATE | -| | RT_FLOW_SESSION_CLOSE | -| | RT_FLOW_SESSION_DENY | -| | APPTRACK_SESSION_CREATE | -| | APPTRACK_SESSION_CLOSE | -| | APPTRACK_SESSION_VOL_UPDATE | -| RT_IDS | RT_SCREEN_TCP | -| | RT_SCREEN_UDP | -| | RT_SCREEN_ICMP | -| | RT_SCREEN_IP | -| | RT_SCREEN_TCP_DST_IP | -| | RT_SCREEN_TCP_SRC_IP | -| RT_UTM | WEBFILTER_URL_PERMITTED | -| | WEBFILTER_URL_BLOCKED | -| | AV_VIRUS_DETECTED_MT | -| | CONTENT_FILTERING_BLOCKED_MT | -| | ANTISPAM_SPAM_DETECTED_MT | -| RT_IDP | IDP_ATTACK_LOG_EVENT | -| | IDP_APPDDOS_APP_STATE_EVENT | -| RT_AAMW | SRX_AAMW_ACTION_LOG | -| | AAMW_MALWARE_EVENT_LOG | -| | AAMW_HOST_INFECTED_EVENT_LOG | -| | AAMW_ACTION_LOG | -| RT_SECINTEL | SECINTEL_ACTION_LOG | -|============================================================== - - - -The syslog format choosen should be `Default`. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -This module has been tested against JunOS version 19.x and 20.x. -Versions above this are expected to work but have not been tested. - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: firewall - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `firewall` fileset settings - -[source,yaml] ----- -- module: sophosxg - firewall: - enabled: true - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9006 ----- - -include::../include/var-paths.asciidoc[] - -*`var.input`*:: - -The input to use, can be either the value `tcp`, `udp` or `file`. - -*`var.syslog_host`*:: - -The interface to listen to all syslog traffic. Defaults to localhost. -Set to 0.0.0.0 to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to 9006. - - -[float] -==== JunOS ECS fields - -This is a list of JunOS fields that are mapped to ECS. - -[options="header"] -|============================================================== -| JunOS Fields | ECS Fields | -| application-risk | event.risk_score | -| bytes-from-client | source.bytes | -| bytes-from-server | destination.bytes | -| destination-interface-name | observer.egress.interface.name | -| destination-zone-name | observer.egress.zone | -| destination-address | destination.ip | -| destination-port | destination.port | -| dst_domainname | url.domain | -| elapsed-time | event.duration | -| filename | file.name | -| nat-destination-address | destination.nat.ip | -| nat-destination-port | destination.nat.port | -| nat-source-address | source.nat.ip | -| nat-source-port | source.nat.port | -| message | message | -| obj | url.path | -| packets-from-client | source.packets | -| packets-from-server | destination.packets | -| policy-name | rule.name | -| protocol | network.transport | -| source-address | source.ip | -| source-interface-name | observer.ingress.interface.name| -| source-port | source.port | -| source-zone-name | observer.ingress.zone | -| url | url.domain | -|============================================================== - - -:modulename!: diff --git a/filebeat/module/junipersrx/_meta/fields.yml b/filebeat/module/junipersrx/_meta/fields.yml deleted file mode 100644 index de09a76f8d54..000000000000 --- a/filebeat/module/junipersrx/_meta/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- key: junipersrx - title: "junipersrx" - description: > - junipersrx Module - fields: - - name: junipersrx - type: group - description: > - fields: diff --git a/filebeat/module/junipersrx/fields.go b/filebeat/module/junipersrx/fields.go deleted file mode 100644 index 4964270b28e0..000000000000 --- a/filebeat/module/junipersrx/fields.go +++ /dev/null @@ -1,36 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package junipersrx - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "junipersrx", asset.ModuleFieldsPri, AssetJunipersrx); err != nil { - panic(err) - } -} - -// AssetJunipersrx returns asset data. -// This is the base64 encoded gzipped contents of module/junipersrx. -func AssetJunipersrx() string { - return "eJzEm0GSo7gShvd1ioxeP71Fv3iz8GJuMGeYkEUa1JYlJiWq7Dn9hASuFiAbcCXT3pUJf/9PSiklKUrAGW8H+NFZ3SJ5ur4BBB0MHuDbzy+/vQFU6BXpNmhnD/D7GwBkv4I/XNUZfAM4aTSVP6TrAqy84IQeP+HW4gFqcl07fFOgj1k576QJP6QxnxdKxPghNCg9HuCIQWbfV3iSnQl/JoEDnKTxOLpcMNN/+vuEkyNoJXlt6zwK/uaNq/+b/WJ6C/ltEErv7OjS/UbOePtwVE2uPfHV3+2IV9T0riOFQlYVofdFbd1uk+2RMEU+k28dhbK2DVgjvWRgBC2qV+iDtjJyWCOQcdeFITfCG4vcynJAlLMWVbIRZM03E39yIeeWpwTSu1Yo4l98DgYqjKhFfSuD2CErrAybMiOzwTsjMiPLEyK62CtLopHNmTI1xB+bbRkT/eyVNdHNpswhJaIf6gyKqMuYPqSSnYiGEXrZCXMi506Ws7nyYa+YVD5sicnICW9MRk6WY9KSC045I/RU5wse7lDIoGV1Z7S6MUegh66492FJ/dtZ9onZr6mRvM3HLhbW1xs7hCJfQlfGY+poPzNL1Yf30YOuxP++c5YfCQu6ggy74GAP+YXclOqMwYsTuYtQRqNl3FwHOEQ4TOBFN64LR9fZSgy//IVWjreAO4UloV8ISvrdL7MxmimxuJ7pcQ3PBF50o+2/MVHWOMkmCndUshHaEpP95skaF2hk67ESQT/YYCoZphcWHAxIGCGL4rJtjVZp6edbS0vQ8qMB+oCV2MVEz17vpfNIvHv8jFjUJWceTL7XOloj3JOFSWir3EXbWsRJTiepOIvNJAF3CZhLlFPBKrq1ARn39TlyKQ+EkgFrR7ddEgJm9EU/vjvu7Ml3xxd8kfZnvlUz9zMhl/OVzN0ys5OMPHayPHMaSVIFJO2DVoxZPZpAD0QelMqqIxQfeBQtuetN3Gtn5uZHkoEPPEKS+Synlx/6W0QSe1T0Eby+rE8u+HuavYkNTc3cCG/nLrey3LVLPvbqayYrmxubM0s7xGdba7NxPvDWDDNiOatJiXc6iZqmgf9a23AGLapXPvCrl6Dlol1d2ser10sjH5FrVipy6lEGvNoQjEAIjQxQo0WSsWQNDcIFvZc1Lm2Csj3SHo3byF3ftVWteJemYxyRLfrG1VpJI/zNB7ww9+kGOPTwjV26z6p3x+bhp8a6rvZJs7fWB+oKfXJd6B84fJCW83ljIMOMXPbBf74wP1d4VLa2RtuzCFfurkMPhnCFKfiZD9rLB019FF244w++MejIQCtD81yyI8MrWbmL1AvNhSFH+IRP2gSkGbcozv/sOKive2SMBnmTbUYs6ga8tI4k3QS/gyfsohde9WU9JHIk5kXEF4XL2CcOlKvY5UfMclWkmPuZarl9eD/cZd1Xx8Snuvyben9WvSLPWCvP5XqPsMX0SknHecbUU2FMLc8ugw8eO198BTEJj6lF4SHvmEv9gboi8KGhGHiP70g6MG4nPRhm4HL4s34b75zPm2zL016GINWZ20KCrlDXtsIrn+4Y92z2sU48WS9uI61TDevRWASuOBgbDkmMqx81Jb9wWhofKxdbknhtHYVfpV5Vzov9ci3iNyZc9g5ho4Og+dB/ITLZS4SNDjCClxdDfUHhlWPd+/QFYcx8FImA17BPGCJ5ZQzuPlLzZ0c3ib9lXJhrgzQuKyqDpN0iaceYs0l8Al0eDb5JORqEdQ54l4q7gRX9pc4gHqXfo7mTuKs25n16flv6fO9IlVb3l+P5PAxcmHCferDd5cj5is/dw4Rb9NCE0IrGecZqPSJhhCwqpzbrLn0XXNl18fLSGhS+kd///xufgx4LE2y5YJTmQxIKbU+OsWrsqTCillej9I6emJ1NvnZk2dPyn5W3ALTSPizaXuw1ReRiwRb3CR/kpXy72wvlOa8s2zDe6ULr1gcZOsbztxnvoSrnqxJhsYZJq0cjfSOMc+eO75Q1rR8RDBPwYxusu9jKc6K+3yYqDFLzNdR6Kkyo5SHf442r9S9ZnRAr5sAjVisC75TqiLl6TsxV1TPnP4YN57XxSfezwSXr/8BHo1UDndV/dWhuoCu0QZ80+vzU/ed/I7/9EwAA///WpfnD" -} diff --git a/filebeat/module/junipersrx/module.yml b/filebeat/module/junipersrx/module.yml deleted file mode 100644 index 73b314ff7c70..000000000000 --- a/filebeat/module/junipersrx/module.yml +++ /dev/null @@ -1 +0,0 @@ ---- \ No newline at end of file diff --git a/filebeat/modules.d/junipersrx.yml.disabled b/filebeat/modules.d/junipersrx.yml.disabled deleted file mode 100644 index 559eb049ece3..000000000000 --- a/filebeat/modules.d/junipersrx.yml.disabled +++ /dev/null @@ -1,16 +0,0 @@ -# Module: junipersrx -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-junipersrx.html - -- module: junipersrx - firewall: - enabled: true - - # Set which input to use between tcp, udp (default) or file. - #var.input: udp - - # The interface to listen to syslog traffic. Defaults to - # localhost. Set to 0.0.0.0 to bind to all available interfaces. - #var.syslog_host: localhost - - # The port to listen for syslog traffic. Defaults to 9006. - #var.syslog_port: 9006 diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 41c2bf6dc479..eaba83c9dca8 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1030,6 +1030,7 @@ filebeat.modules: # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local +<<<<<<< HEAD netscreen: enabled: true @@ -1049,10 +1050,8 @@ filebeat.modules: # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local - -#------------------------------ Junipersrx Module ------------------------------ -- module: junipersrx - firewall: +======= + srx: enabled: true # Set which input to use between tcp, udp (default) or file. @@ -1064,6 +1063,7 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9006. #var.syslog_port: 9006 +>>>>>>> stashing changes for later #-------------------------------- Kafka Module -------------------------------- - module: kafka diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index be40af662027..2f121a65642a 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -17,6 +17,7 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local +<<<<<<< HEAD netscreen: enabled: true @@ -36,3 +37,17 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local +======= + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 +>>>>>>> stashing changes for later diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index c59b7ac4a95c..a0e63c5fd9f4 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -5,18 +5,130 @@ == Juniper module -experimental[] +This is a module for ingesting data from the different Juniper Products. Currently supports these filesets: -This is a module for receiving Juniper JUNOS logs over Syslog or a file. +- `srx` fileset: Supports Juniper SRX logs +- `junos` fileset: Supports Juniper JUNOS logs include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: junos - include::../include/config-option-intro.asciidoc[] +:fileset_ex: srx +beta[] + +[float] +==== `srx` fileset settings + +The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] + +To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. + +The following processes and tags are supported: + +[options="header"] +|============================================================== +| JunOS processes | JunOS tags | +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | +|============================================================== + +The syslog format choosen should be `Default`. + +[float] +=== Compatibility + +This module has been tested against JunOS version 19.x and 20.x. +Versions above this are expected to work but have not been tested. + +[source,yaml] +---- +- module: sophosxg + firewall: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9006 +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9006. + + +[float] +==== Juniper SRX ECS fields + +This is a list of JunOS fields that are mapped to ECS. + +[options="header"] +|============================================================== +| Juniper SRX Fields | ECS Fields | +| application-risk | event.risk_score | +| bytes-from-client | source.bytes | +| bytes-from-server | destination.bytes | +| destination-interface-name | observer.egress.interface.name | +| destination-zone-name | observer.egress.zone | +| destination-address | destination.ip | +| destination-port | destination.port | +| dst_domainname | url.domain | +| elapsed-time | event.duration | +| filename | file.name | +| nat-destination-address | destination.nat.ip | +| nat-destination-port | destination.nat.port | +| nat-source-address | source.nat.ip | +| nat-source-port | source.nat.port | +| message | message | +| obj | url.path | +| packets-from-client | source.packets | +| packets-from-server | destination.packets | +| policy-name | rule.name | +| protocol | network.transport | +| source-address | source.ip | +| source-interface-name | observer.ingress.interface.name| +| source-port | source.port | +| source-zone-name | observer.ingress.zone | +| url | url.domain | +|============================================================== + + +:fileset_ex: junos + [float] ==== `junos` fileset settings diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 6122a5646540..3866229dded9 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhJDpmyZVt7o5udC213e9w7ktyrluSNi4moAFEgCTcKKAEosulf/wQSqBdWochuNlBs7d18mLCaZCKRSCTyPb9DN3T7Gv1RCVZS9S8IGWY4fY3+w/0B/cen979d/wtCOdVEsdIwKV6jv/0LQqj+DVowynM9+xfk/+s1fGr/9x0SuKCvkaBmI9XNjAlD1QITOrN/b76GkFxTtVHM0NfIqKr7idmW9LXFcSNV3vl7The44iaDJV+jBeaa7nw8QLf+33tcUCQXyKxojRhqEEObFVUUPjMKLxaMoBXWaE6pQHKuqVrTfDbYn9L4HptZKlmVd99Kn6jtsoC1wHxne+Orj60fWqJdpNDLnb/vX2H8wAan8nHFtP0eYhpVmubISERwaSpPf4U3qKBa46X9NzaIyIJqu2lpP++BRuitXKJzSmQObBzYiIPF+kgdu50aLl1TYTK7tciAPcKJqe9JroHmRApDhdH2fjChDRamRkMHcTSsOAbBHJv+B0PsmMPJLoGwQZsVIyuEkaZaMynQihmNMHpPze/MCKp1ffqzAWs0m9UrWfEcCbqmCs1pw3clVpqid9RgixpGCyWLzlJP38qlfnGFyQ01+tkA/DlTlBi+fY6MxxujD9QJC8fhooPmLEhITteUH0FJLkX/fu5Q8pyWihJsPCY5XTBBcyQFB7QMnnOKClyGsSr0Mot2Yfac8Tt/zy/Pf0BrzCt/41lOhWEL5rmT3mJiEJdLd15qcBCwO2bBe26B79njKLEyjFQcK/i9P9jZKGcMQB/FKSHOGEAe55TRI1lPeyYv/9+Z7D8Tu2qaA3nY9ZXzPzLYSP9YHg12a3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU9jEitrI61WNEjInjEEurMdWS4/FyWk7xMdIjLdkWlOYxbagRvSZkZ3a+WLsFLDYDPWSgJDzMiujpIQPoB6yIcSr2XCsTUVF0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2paKtGq2b//k/bXaP2TApiHwds5GO3bEfEzZqlFYdd6p7ZZdiCEdy9z2/lEl2sqTDoGoQzqkROlTVBFPWCarD1BbulOdLUWCA7P95dQ48bLPUhDGA/2GBpDmEA+l6HMvQExvcvHceYg33dgyb3o8FK6kT6apcvf5XadEUk73OkpiJnYll/qENs0/EhfT30Zccw2OBHo4S9vFr/hHCeKysrx657n7iD3Rv5tRJ3/So1eV/930teS630sqEvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh3/MtUPnCLY2u4CI9995sg9HHbUkRwUMJMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xBi6qA2QLtqwUqH4H9n2MuvsV7xvCoOmMzwj+BfvrpUzlZttnHdcrf/UOBqk2WOXJlLqOROtsu0vJy6vPO/oeRopy3D9ShPRWG1r4R9SjbaGtqONU7Yhn/y0VWzKBef2bXW3lAB1S6V97EiMurz6/CpDAoz+gxMNJ0GA0pHKM16dl1KHieOzrs6I4p2qS2PWvsBS6PH9IlNTh2w2WApjjYqWP2snGSZbcz4ZrReuyVbTgoljT5UxyTomR6msUwJZ6J8i5sTzHNCKOdDS3mO4oqm9lX21Bewj9CC2+gswfi6paSA3JboUUaL4dHBpCin6pqDYWoGZFybf+nOyXraBHFJMV0iyn6On3yKxUhV7+/PMztMEaaUpFs8oeSjwK5fUOlNClFJqmIwX5ariCyEqYxqdQFXMn9OxV1kEI6CmeyzXtEIOJYGZlLd60URQXo/eHfDVsc2JS0ZxVfT0tBqG+CWmOjWOBLRAz/6xefv/DX7QT6S9KEKA10v8c7Oaf1h58i7dUoZfoQhBc6oq7yIo1Ke8l10PQHxj8CORWhlb58SX6N7vd5+jHH9G/ISKV1ZdhF37R5+h/cPO/7BeZRrtE+SZ4hELm9NHaumJDM4I5n2Nyk1YDdsgJaeDaYOPsCktEKvJSMmHANDE0nOAMzJFRpWSi/LRWH9QlJQxzwBgw1UYqq1mLrdM67AdrzFnuGCOEFEILWYncvjCcAvJMLL1ydDB5cfdGDCDHiAX667AnbDRyClsucf5Y3jmPDtLsT4oKahQjAavDm8LdL4Mt7J77WgjbZx+bVqOVi/rYZuhXubFHM7Q5mUBSWWPMSHRDaXmAaI/ixftKiKYkoVpna5Zneaqo60UteZZUUIUNXPLcUrBjF66ZMhXm1mjf8b2LgIuDFcya3RArB2K4XfirfnmOlJXWGhwqQDSsltQ0XztICa0SJT2dnBIuE24/JVSSUNBQ8F+e177XD7SQhqJrz+9EUXho59sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlwfgJYvR2VWscXZ29ufK6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqXumvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FYBTH9Sk1n+ENlRRBxYbxCnWBknRKxfZJeLJ1cSvm4iBu5oibOtp97tUORAOspooWQnJ5XLbD8QtmBposQj9jMgKK0yMI6K91FvAH5zmAlXC5/TwHZ/5aEVt7IJuF6hPGUTYE7sEi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJZDUfPEn3IlKLdYPMC84WFHYcMPA1JVLkIwp2e9yZNin9LHs2xASRRcmpCTLAqBMVgwJvFOuJwU69mTInYuRru3aQncdYeZczR9mvkMKsIh1TW58aK+elzXLKT0T4C5GnILsF+acUqbst7BGLdvVaxXTptR/7FB6IqGQ3+g0y9Nb4y4fWVOlOOUW+Lw8scL4PZbYtxbG22ZbpEalymqd7B32SjX+mdLNirWPUmTbNF7vx9eFrpWQxA6gVFOVrQgVWTDq1vqi4Yd8ZRhXCZcnr6pe2l02BBV6GSnMR4hDeqe1Fh5TDVSNmnmgkN8JFxgwuyr5n0GNsV7MoDm+f0YismLVuZE71DL2rtAEzqQvU3kpsRvJysaFHHtJeAbZYWLzXdApNCA65XtDRTtEFVVQQxxDYqtY5W7PcajbAD2FBdl0Lso894oU3eVsyNdkO2/N0saBby4nM8K3brLZCz+prFilg0P2+0YiHPurCeW6lcSPPZoMlm3QyWcWWQMVAkXsoxIb+sa8KaJBfKlpNxkqWux0XtfJxgzUCJPIRvgHkfohN1IhKwQ5BE8i0ZWESvL7LIgWuZZYA1TJLoT2XMUXRLtCX0aEm0JU6r8hpTMie+Rh8YwbP5b3enGPF5iG5dkywoH0get0QYjuCMBko8TEUa13x1GGnEStKVobIgr5wODTGC2Rly8WAQ7DwJNgxIEcYhK6pYiZl6ciejdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zdumDOWE8Vryunz2YKHEDjYmR5WzBRu6hyH2QJ4u3N5qkO4fOuld61BKVCv1371Fim64SAvl8N1q9PaKxKUpdSs4iC4068Bea0yF2HKUjlr+/uaBeeipssXeuie4oiURVUMXJfWRTc2wRVbHs21q1ka26GE0vufg+2tqYil8onzO7dmZz/cYLuNXVoV87/oCRsR1vE0teCD8htJeh+xJykT9mr7pvhhfRV/17MeC/XCje5xUIahNHKd7wIJ9ByuczqRJWTCPWaEe8t1KfombIj+/4O6VbQtRrER1jxl5yRberbs0cuXAECvrm24NsRuVzxlHnTYQJ+qDgFxMLiVApDb1NrrA1Cl8L569p+qDjPtf0/eFQxrxEKNYA58DiTFRZLmgm6SS0LxgKXdNMJ9YMSYoxi88rQjoQY5uhrh7rV1rvPX1h06BJHE3YN5ThL1rZyH9HAEOznFzlkuvpbwLiFCjBLsLrhoG5zvtSaqhm6pu5QKk3VDC8ptPL2me4LqWocBrBrME5vJ/B75H7f6VshFZorubGf1X/1uqYzu0b7SV/mV1iZ2G66BnBsj4q/U3JQHTrVnZI8b9TGVFdKltQHFFO9xW8Ewpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ylaUrBk9mU/gNkw5ZNDKqXshWnsFThJ0ONeMBdhq8M/g51tmFl5ZdnJenQOC86h2kQgKb5bSvvfe14CUFKygOKYcN+4Ewx8AQhYJOUCWelgGNUzdN3KlP5gg25lVRqMz1w5X6WtEeNKRl2yTe7Fryc8RoRX2tQM6f8xOCb4CdP2JH1NtPdvWMUXPh1XgSbXftwNC1v0ri1TOqXsySHDy2J5DlggrLUkDPyl9jSC9iQc2Ft2Q18jjMrVVjOCOcqZvnmOSgUzUZ4jasiTsKKMFT6m9vKeD72rs1G4oIYqjUqsoYuXhkYOrhcBkUVhpZjcCdoPS2uoIXvVPfcenErj65xhgofJiW8ii7Ia3sEEx4bRholcbnw+LZGC0NI8bzIpRokx2Oai4nyLvlSYO+dnLgvMhJcaorMQlyNPV9frGUtd2rN1qxK+ZeKG5r4WqE5Exxq8U95AsZ9806A2Y/m+g+ODrhBJRV13spNzS/QRqNGDkVYnweu30nte0fWwXU8TdKaqYP3BTqldrH5NwNbx/35N+8fImvaC8fR3vNnyL7Bac40VzStCUR05omF3m6aKYZ4FXtNkj8g1LFmrzf33sfMA2hdm1C9AyY0+quVADI+xX90+dCusV80NtWphoMqwIiuX+VvX2DRlhmc1pF6LMLuRZpmZVsT+qvn3sNIUWXkuEIOcu0oQTrGyf4JGeC1qvoDQeztVXdh5OPrghF817PP0qF8sIos5E03f7O6D5ctG1T1erzVTlZ7a09fVRgCBcY/fNAHSwJU4c6u7nozjnlJnwSV3jTfkc17my3P03kmap75xA3LT9nzRr8XtWVivdg7oU/jyO+7ny3MgqS95a8TE0HuwG5FzaYBuCzPHRFYWbJgOG6lrvU3Zy343qusLtJ26sNePLZzxPSHXWNKfNQujy/ODmmws/9wBTdYi9lLkrUY7Q2euPtP3O+Xug/3aLCCodr/xwzfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc75+cXnV16GRbxnrPApjddlHDhS8cy1kG2lxSKJLYdA1WwoMwmKERUupUjavfTKQX5ZJr2rdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkMPb24xUXJ6Wt05RwiDixI71nYLwKRucljm+Ccap+WMGZM31iV+wi87lGK13FjvvdPwwemb/aEXI1iyyVV6UbYhUn2uRsL8DiAdrpSVK8kzy33OFt9ZNLoTuh9As/CMPbupfLTD07HeNY047g8D5eR3Dk6T2RRZhPnXcGp+NwrGOPq/Hu6mn9n0ZEC6lMXMG5G5hUZs9K8WnqirLEu5o20lAo6D1i5XuM3MiUOq3yD1Wky9IZd9a10xf4hspsYaY381ApRjN5hUvdTDiu3VgRNasdI8V2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6Xt4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTnw/n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9FBpy6M+MOS7zh3Mo9pCtCqNaLiqMLuz4iMqfaskTd7DdsWTCR09vIBOBMm+M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAQ8Tv72+DORAI+lHPXXOhEGrFfHT1t8jlLqnTpi26dhBmQzKsIbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGVlOr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0dPAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3KQ0bnTnoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHG+3vLfmG81RpJNy8vrBrclpD0dBpZX6+eVtb/IedH+p2O3t5/yLkPwIRvV8nSNc49h4Rid/LXV5focqBQddFI1rXWV5fsxyBiYVdTDbuMakjfxx/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne199ct1z6kAUJGvcUlJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+dnnC/TU10p8rrjVleeMQwEH5IFd3JZS228+Q98NHQ2iH4W5EXIjdgwhTUkFzSzWu9BHJm0SPIELrp8WelZXub/3pUlv6RKTLfo0aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJdXsCx6L3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Tzfo10qAKflO5pSjp0ysZ98+R0yS52hu/4/a/8MC861mevZtOL5oSJktOB5Mzo+tQ+1q+GdXCBYFXxfIyW09/Eou9jZqMDIppu6vc49n3QZBU2UZOYjQuogrd3uYfX73O1YUfXQJwN9++/nd728+XHz7rcu5XWOF2ShPbqS6iVmyfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxg70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSHlvs0g4GG6g0vtikrXvx9S4WxIKNOprqrSZzxB671WA3osA2++U9YaF8dD/B+zsuLPJe//8wXLVVmd3kv5OwWN7x0XtE9iJ5Euao47j78JNygqStnZPt2KVPTZPRXmfZQZ/MZ+B2G3Du4ch03bKaTREPg6KvBWbc0rpu5nLlZcblebe2DTpxWXPQ0GWghcF4VmGdc51ZFfGI/RyTeA3p1r766EwWRSX6nqgBduK4xk0Pxe49vTV/p2GdusFNH6dZPxS3ayzyf5fhqFmLm8GGHSMZHozdcOEd5HSlS0aYjJYlOpUFD9hvsBLDoMNjR12LosxkKmF8/f7dFfrN+VHbpNQwIl8mTSW4/s+36EtF1Ujv1oqLTNF+p860yQ0dh+gWfaiLzoJpXY2WTiI+pF2gMvYYAQu0PMpxdAiqCQTHHgw3jz+gAXOsigSnZcEmcC/gMmIBcgO0yqNNpd2BGbfb1Q7oHJu+VvhQuHMqyKrAKlZZSQN3W+LB+OIHR58wGaRTRYGZraLzAqGLuAVUDeDFElotJQAr538kgFri6JMwXMep6OwFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5foncWtW0d93IjJiVJbrqH3XO9At5OMiT3cAvOY4usQQGRVLJiIWRQ5Bp8iNFtki0xtmSHT5IbIFlxuNi/i5K13YwqzTQU8QdSEiYyKlOGGipKqYb6MlvA9gl+QmDfA15il4hZVZqaSRWfyQFEBf/5SBxzE+bJ7sbnK5zPIUxLaA4+e/EZEV+DYzJpbbYBew5WhOEzwKBROJkGYiHdIl1xmf8yx2WHQH9vcJgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2vyaE/T8Twv5LGthGlhzPaQqR0kCPb56JrKg4KN/zbYJ3sgZe3iTQS4qKs2VRptG+rZaJ+TJ2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtSb3VVJphFSkRTVp3EVDXSWNOD3iYQIUYaa5ilgg1mTRLglWC3AgupKUnAhOtXliqJHoX1K1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtnzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv0qjQ9aZ3Nm/pKk0RjRWdxZcT3ASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm5fz88Z0jDjiofUmAu27y8TrIdWAvGKcpbBidLVIcIlvELM7eBZxCN9AZKyFJMUsi6li5/inXphw0848EWyuSBDZnC5rCjNHgaC5ozqIVjO7CZiINlxQyrzjVRKagtgfOlglkkyz1BpuoM/870EMZ5FEAK7pk2igc3xPSwk6g8SlapiK1SkZrDZ3IVSL56jLzHYsngG4UxUUCRdKVAqVCO51yvVlJpjM3YTY+9C1WOAmD5yOFsDEgr918+9hwmTZYRJ9znGszr1SsYYE1VOpmBaWAWkXHNb4eXdckxwYLkxsW8YddH9tpYB/MJc7z2HeA5bHDqnXroARvESsyoqQsknQlsoATmGmsyNIkR/qORynIXN5Eb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TIJ64plkgtcShVbgBXzapnimhVMkxRiodBJGDbFHAhBDTRXig43ugx3DaBjZ/w5qLHT8cRmE9sCSVJRJt0A6OiWqIyvGUnFlllgHteD4W4EVfHfrDJzQ3mjg406mboF60a8JmGyBIWbfiZObGHgwcaWBmXmHEnR0cVa2w8zsopV5z8ATW9LFj0QUFJVLBUWZtBzNwbkTRLA8Z9e14ns06feFNAIgJVcZliXEQcGdEErHBuqopin0O8UJUAH13U0EfD4RLaQ47Zw7UCWKk+AcXxHpk7gG9bON5wgH0DT2IkAbuBxAuNE0y/xGSDUoDUa1ASmlGbLBIJXl7G9bFqRFPdAkTy6Iq0VCXXFjQDYxBux1YVZ6ehdNddExC6UCE6LfShQ16Qz9vbN0sRnKwc0fkSvmekZG+62jN6ttcrnSfLQK8UTvIWVpirLWeyq9yRjK+rIUAoyGKINLmJ7g9cZE9rgRQLNYM2USaGGr0uRoHWTkaoSMd2sobZogY6ibyoj0YdKoMHSTfZIwmF5nzFnOTpTNGcGnWGV+26GGtq/h9Fxk7MSUmlsQiiAgSH6CPobEMlRqFSnyYdgIh3lLoqSyy0dDBY8SL+FrKI19b4jj1kaOp8RzDtTdElvUYH7jRbaWKxYVv1hIMmR5EzDcIZ6dX/00EAJ6aospTJo2HgUoc0KG8QMKhVdjLHCA9Jy7zOEIkR4b3U0KCAmfGf3kb7QnInUE/k7qNrVunhqZOSSmhVVs/b7eiWrwYuGkKBrqppxREaiEitN0TtqMEwEd3cVNyR4+lYu9YsrV/b6DJ37EV/PkVkFphRBM+AP1I8+BrQFek/N78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGC40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWNN2t8yosiz7SWwO3YsxdMMU06hGB1A6uew8TqgUfmXgJ3XMTjgOH/rmaGqTol4pqs6dp9/HZyvfvle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXb8O7jzm7P/D8w3tYpfntVCAtcO8AVZDvCTee7KwfVzmWFPk0rUbbNDgVjWn5H9xGnxFMwq+wVwq174+SEaEsEaaUhh3hvfPq1JYaEwmGO876DDtlhag9rZMQyoFE9D2IV1SVTCnbkyFdLukG8zB1ozTJUWcrilHWGu2FO7g2nn9YdaHlswnlN+w/h5On59k0rPFrBLsS0X7YxJx+PJ18D2uY+JxU1BqjYbl7kISKQSF3Aq0YWY1JigQClSGNBq7okeVF93btLDkBHnSPFFcLhnBHFkMRkwfwOK02MFSI2MaT0e7crXVYfQ66Wwb2ctqjf3AY86wzlYyuU3gjLjGXINZKu1QIysVuyN4wv0AkLs0Flt40/wgFsIpVrM3XEtriO/ct3MIlqNf/S9m6I3YNv8aQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Tf9s4AZizsHwsw/q5ff//AXa/ued46jptg3QbQ9n2ZxI2Z3ddzgLVXoXxufnH7h0QDkwrc+dv1Pep4XLc47XL/3PI5MXj4k2570B6bYdWbo/W8fL+zeqaLOeQL+0pxpomiJBdlardKrZ7yfC4KAQs/Rx3ev0aUwP758ji7fn1/812v06VKYVz+hp5vVFgnKzIoqRFZS+1FpUilKDHzrh1f/+/979iRIEWpWCWVcnx4gU2cFDo/j0Ym5757X/Nrx4mWNVPiK548L6a5sOoD5kQ3j7vzAh/DtKaatdfKZKVNhjt6+eR9E9k8paDpf1nGc8X+koLMwbS26X40IhY0cFp5wBI/xDd5zDkts6AafYEQ6cPcVepPnCvy0jstD6DRPLynKY+OcD42FXJ69u3Kv0mh4rMB6wujHjlPJaar+7UaXVxaVEe+XpeGRkyCi0NCuPU7DWhPL3HStaQVEB12c58x+GfM2YNuZ5R9+5yZkAGsSwgWX/oaf77LAAJU21zqJXnfXJw2j9x7DK6lMI5IHQjeHABscADPbw5JXT0x7tx8mlvVjUm/r3RjhBQ3ZjVN5cT12YPlirSVhVuV0fqOBjoOsXFZYLOmsMZ2IFAu2rBTN0XwLMKnIIWsoLGfKI1sPDIpGR7Tl4KKLBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8kYAlFgmqhXmK65Cq/0mZgKg4z2pPXDq1vG/B233M+qt1nQkn0GAvzIoqQQ36uC3pc/SpfsbeggPsR3RVO8AGL8FvY5paPapnAmVixDSukfZ+8ecIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9uhwVKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53Qi9WUKyl0LY3vhbyKWbU7OhVIRVz8hdE+8b45YG826oziGDoGU8ZEYMdsiEz3OFtISCGSuW/IiN8BbXHIsp4vh3cFDWCSIdF+Vgg7suyzaSsrYW7BIM2N2XJ3akkhLoQrCO1w/ubhF7rAwjFccKQb9oVCPx9OL29Vu5lItFePo7JZlZ0eTHu4PsR7ugu40dvC8s3hbdN5VZUWF8svgo2rqK2Tnhbgk9bslx1D9pqkYRlpUhclpK+yXHEb6uCKFaj+AMncePa452XOIJ4IWsiruUaosChQkD3KYQTjs40h6OVipBgE+XUth3xcqtkHLY/BANFKXdXa3j9aMbeTcxcl1LoWaAM5o3+/F+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0R+YIZ/CtFLIYyauFmRyauRb10yoRVrlnIrfyRyrdEACjXxin6I1HbDYgw12cvaLZmLuTownjzf5Pkq4wSoJrn7UQlwqhPQYIEbPe/QGEcPl6175eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buQuA5hyKyBTrbjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+TloQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+WGmjRoPftZ7Oqbt1sn29HL/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGgw88BnVH1jqmd/fJWOvHu+3ph0xHG3J65615h/GhHQ72BjtuBcIdhMHXu7uXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5edvzx8JHFGm0wzZHdTT6qSSVIzDt2B/kxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR1Pkju/bUWkT18mcgT8l+zn7//Hj19e/7m6hk6Z9owsayYXtEcSuGDuHC5lMn7Au2LhEG27MLh4Y8ZvjiSMaZkYq/ivvpPe6ohDJobAx75aEOf73NdCKT9N3W/Hccf4BSKmWIRapPeZophHqs7XW8jH3DOKu1WQFIhzQrGsXLiyYpNe4cIvOvh8iq455rlU3Ya6WbKf7KMUHsRe30x20uers7ijdh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7smqFulY4a7EPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRT1fYMCqMPpgez/GUu32LT7pZ1/qRlokY116dJ1ZwlVgZaIbUbnW/WJ2w2ZEXNneRqAuaU4UNzbNoSWV7+MMKn1/qFZvg2ZWSa5Y3zcP893BZcq+pDhjDN/+xz9quThtWcNpNsnyiXTZL+l5/ZjuyzeDwUMicXDMXPV/1FfeRFnCN0hlzKPh9NU96CzpT50edSuhlYKNORwWNFWukjVRO4ltoBTUYVnsC35rZbz0J775gec7pdFLuHax3VzkXON6O3DtKztXjMabZ7pVfrdNhSGzr6OxzVHJsj8y+z1IhKojalmNefkiFnMCevEMGnWpsy1+lNugdJismRky6HCeSHN/0af1JQKZ/qagVH1Y/ck3O9Ay9zXGJPsM/nH6US+HqTv85fDzRCq+p1Zw4xQp9qajaIuhBqEspNK01qnBxqt1vBr+ZRl76HnjEQlas7gIp3PZdX75xPOstTYBqy0AffHPUu2IKU57SOsz6PF63lt5pYmRtQ//wMo1UJUTQjtXPm5fHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH7yPFQn6PNkhxfEbs/h2+bcoKfQEZYK0j5DELp81qEWqgS842/pEpMt+qR3G982EdiiX0gbPbvWrjCBwT7y2ndNLUAFatWAyeyLOKB40wcgUP2/U2kK5TxD8u1uO71CPdad16nXgR3DDoOM5n9zxGanyesd26rP8PWu91rWXcDWx7uADnczjcOuCRjsnk2bkOmOYXBC4YYUh4ufoWwg5kjA0Qo32HJOF0x4Xz0IJ+jqV+BypOkgYHdUoVgi3FoHTE/9iy0YG59t6r37XkojvSkbH7YxmKyKiVvgt6sCwdHAOuoeR5IhL3Mm4k0Qi3o37JahqDDt4xkQUt2yHTgW10a7Le8PTO0cYJ327TuAdYlVzVP2z8/brWxWbNBKHdnbYW1Zl/x+p+2Z6DNLXFsLqbbpDvyvusTibwc7xtSI7HZRr9Xz0NNkyfLXFwD9wN5OphINdlX3W9+/q1EuyKgwSpbHiI5cVvOBc+FOPO7XtNY2PVCOADi66o5p7+GZLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5JXSN0QH70rMgasw1N2xV98SVVjsAvFedb9J8V5mzBaI7Ooe7ZOQeDqGzoPCNS3rATBd1/p3Pk1m/tZ8zHtPno3WbbcHhZGVC5jxxheviuf2iW8FN2vDva+eRn6OO2dFtvPQeWOO4Exw9P0UUWtZlsD22Lg3NEqCc61La2j8wUrrpGudzFznkWS6lqbz+EmD+8HTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTWUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftduLi9ZbuPkEGsun/6Bx0maI0P/GTliqpp/BFWZ/cZT0/PYPTjM3QG64dRo8pM1CxlhM5nVPnhn3QnC3NPc16aNHTcIWTnwO2iT3SnU/Tek2Z/HuuVvH9rlPBpo2v2Z9hbw24SyZTLf1wgQZfSMHeA5QrrkQlQmkzdVqhzlG7x8eGC9qiTTYAaJLj0eKxunF7X34QTUjRbTlFRsdvfqJl6+HF00LKVJkzrKrrSCZAhWSqdt+5hMRTAkCqV1Ac6OJSu9Lywi6NrCE7vk06TZEg0ncF9FPnpNaR27n+MOtLzOCTvLz334DguQrXm2Trli94PqXpHdhCZPLOsh6vobRp1KsDshnqLOlFzg2/acSXdBwlk609IQ7xOKnR5/eYf767QlX2n0G9iZPpKi22iSupjsP24kWFsQQyRFSU3+ign8t2EcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsRu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4EdwmthR15YtUzGwP3CgiiyJpn7g74u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+yteRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dqd4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLadPsOwXGOy4WOfYNTsJNor5+8VvV5dX6B2+LZjIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL489116PRZ7MeTTHcqJewXUOy7+29cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/zbnmNxwpg3N//rC/+158ykTC0rCHy2YohvMg4oMnvPObxAWOdISjbClokumjdpay35KYVFis/LN+hscUB+HAZLglJoKTVcI7eq1iFSdLuSNPtlgToXp5KTUePuBjLNmmtqsd/nHcR/DO6cLXHGTwZ14jRaY75Qi72xpN4P/fSc5op4U2Y6Mb8vWjMKLBSMwSGBOqUByDn0jOg29mnPR+B6b6V/sA1sZ3vrGZWyxFonVyUKnbpM0IlEU3qCCao2Xvi8RkVZ+wwCzkCL5Vi7ROSUyHwn7eFjRfVSu53PEBKYewlNKIyjCtC+aXCAmtMHC1GiEbXzDjnrE8+E7FVTF4R4ya90aV+fUjidAK2vbwoTd35kRVOv69A9PQRB0TVW3QUWJlaboHTUYNHVfc9ss9fStXOoXVy6p9tkA/LlPB2vVCow+UCcsHIeLDpojnWToOokL52HR5kIv0yrP/ozf+Xt+ef6DD7i4tm+tdQ09AW4xMYjLpTuvYV8b2B1MsvbcAt/Tu3OH7O/9wc5GOWMA+ihOCXHGAPI4p4weyXraM3n5/85k/5nYVdMcyMOur5z/kQV7XT0a7NapQqUPQ03RlFmxDydbqvv/MMzA9ktXcP8w5HCVM5NBP+rHiN6u4fSIEFtFnKgbFTEmjkMsrcZUS47Hy2k5PWpYbFqyLSjNUxeBjIctum0TXSNJmg/0kIGS8DAroqeHDKAfsCLGqTh9nXl/MG6QfI5cg21GIh8KUPDe5CNTqNU+OtCo0arZv//TdteoPZOC2McBG/nYLdsRcQNN6hKKwy51z+wyLvmlc5/fyqUf6+qrGKCXnDVBFPWCarD1BbulOdIUJu3u/Hh3DT1usNSHMID9YIOlOYQB6HsdytATGN+/dBxjDvZ1D5rcjwYRWyzs4ctf67xSz5G8z5GaiqbzMJdLHWKbjg/p66EvO4bBBj8aJezl1fqnth/gyHXvE3eweyO/VuKuX6Um76v/e8mbuPbJ07gvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh376Z34XvKXYFF+m592Yb7CqsCR5KkDmtk0c/XQrzwyskFfqFS2x+fLmb5kWkWLBlpcbzW9p9H6PufsX7hjDoYy2bBMt4gp4ZY9kxdTXR1+5gkGqDVZ5Mqds/qd4pJJ939D2MFOV4mJrmWqv6R9Sj7ZthAqfqtsuHVGzJBOb1b3a1lQN0SKV/7UmMuLz6/CpAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0OX5Q6KkDt9usBTAHBcrfdRONk6y5H423OTgtooWXBRrupxJzqFv6tcogC31TpBzY3mOaUQc6erxcB1F9a0cjrMYJ/QjtPgKMn8sqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevo9MitVoZc///wMbbAfJVSvsocSj0J5vQMl/FydZKQgXw1XuKEqtU+h6btqr7IOQkBP8VyuaYcYLFyiU4s3bRTFxej9IV8N25yYVDRnRzVNOESob0KaY+NYYAvETN33B0T6C9cmtEZ6OM7qnwjqRbZUoZfoQhBc6orjplnZveR6CPoDgx+B3MrQKj++RP9mt/sc/fgj+jdEpLL6sus5UA9T+x/c/C/7RabRLlHC7S+EzOmjtXXFhmYEcz7H5CZ96VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8Ddkhd3b8QAcoxYoL8Oe8JGI6ew5RLnj+Wd8+ggzf6EYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6obQ8QLRH8eJ9JURzgymydcqB5xe15IGxVG4+tYBJ/B27cM0UjEy9PN/1vYuAi6M70x2I4Xbhr/rlOVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOrD9ANv5nRTBTFfhDQiKC0/6sDMV9B4MWvlOmSs9TdSx6tOa9ZqkLYB6ZIH9c06q78DrfOvgH1RCDPdbXV4p+Q/x4RRideBuOCJonRwwggqdDV2Zsrr/sSLCx5WFFK1dd4ETyRX10aRPU43B+f3FMFhnho1C0amvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FdTVzwvU+o/QhirqwGKDOMXaICl65SK7RDy5mvh1EzFwV1OEbT3tfpcqB8JBVhMlKyG5XG77gbgFUwMtFqGfEVlhhYlxRKTQvshi4Sa4o0r4nB6+4zMfraiNXdDtAvUpgwj7pi1Yi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJ7jYLbw+RWqwbZF5wtqCw44CBrymRIh9RsNvjzrSZoKF9aENMEFmUnJogA4w6UTEo8OONprXBypyIka/t2kF2HmPlXc4cZb9CiuidkPNBgsSDmx6I/ESEvxB5CrJbkH9KcaLuOfXqtYrp0ms/9ik8EFHJbvQbBMO4/Qhy3w63xi7flwcWON+HMtu2Pwr84SAVJVLlNE/3DvokG/9M6WbFWseoM22aL3bj68PXSsliBlArKMrXhAqsmHRqfVFxw74zjCqEy5LX1S9tL5sCC7wMleYixCG8U9uLDimHq0bMPNFIboSLjBlclH3PoMe4npo0vH1GI7Ji1rqROdUz9K7SBsykLlDXPWskLxcbeuQh7RVgi4XFe02n0ITgkOsFHe3c0DRBHENgq1rnbM1yq9kAP4QF2XUtyD72iBfe5G3J1GQ7bM/TxYJuLScyw7dus9oKPauvWaSAQff7RiMe+oFu37U8mw2WbLurVbElUBF9FGdD/9hXBTTILxWtJmMly92Oi1r5uMEw9rTqNuDqolkCcrFGPTREjagU7BA0gUxbFibB67ssUuBaZglQLbMU2nMZUxTtAo016qOFmkBX6rwipzEhe+Zj8I0ZPJf3enOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xU/UNF9WhsiCvnA4NMaLH+Ay4BAsPAl2DMgRBqFrqphJ3Rp0rPu0X90XAY6NJu25fCYe3OZe6abSxUKDuJMbdd8aPmHt1gVzxnqqeF05fTZT4AAaFyPLB5Nhm0mwQbxDU2QSHsLnXSu9awlKhX679qmxTNcJAX2/Gqxfn9BYlaQupWYRBcedeAvMaZG33YWbuzvahafiJkvXuuieokhUBVWM3FcWBfc20eTnO1SyNTfDiSV3vwdbW1ORw5zkg3JLzv84QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhmdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUj3luoT9EzZUf2/R3SraBr9bDtd6P4S87IdoppOyNy4QoQ8M21Bd+OyOWKp8ybDhPwQ+Wb/4fFqRSG3qbWWBuELttRAXV1VZ5r+3/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q9fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0pf5FVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i98IhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvlO0pGDJ7Mt+mGIuym4f/dA0FKfHvWAuwlaHfwY780M1WlmPzmHBOVSbCCTFd0tp/3vPSwBKShZQHBPuG3eCgS8AAYukXCCYMM+onqHrVqb0Bxt0K6vSYHzmyvkqbY0YVzLqkm1yL36baSaEV9rUDOn/MTgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7Mkhw8tieQ5YIKy1JAz8pfY0gvYkHNhbdkNfdwYZwuDC56hUMBPlOaKGPAkryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57D06l8XXOMMHD5MQ3kUVZDe9ggmPDaMNELjc+n9ZPm3zeZFKMEmOwzUXF+RZ9qTB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCZuaO5rgepEdKzBO+UNFPvJNw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9365Phddvpfe8outhu54m6ExVwfqDnVK7WP2anTF5+zXtHyNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0i1ztj/PvvY+cBtC/MqF+Akht9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDM9qSL0WYXYjzTIzrYj9VfPvYaUpsvJcIAY5d5UgnGJl/wSN8FrUfAFhPfm1Luw8HH1wwq8a9nl61C8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBJnbnXXk3HcU+osuOkG1zov8+W5H8GNnvrGDfVsSlf0a3F7FtarnQP6VAP+vfv58rw737URE0PvwW5EzqUBui3MHBNZWbBhOmykrvU2ZS/73aiuL9B26sJeP7ZwxvfE447PmoXR5flBTTaWf+6AJmsReynyVqOdoTNXn+n7nXL3wX5tFhBUu9/44RvvjptXpqnclKZ5jCrBqXaUke5B2Ui0xorhOR9UAbqmDEygkuMRQaCp0En7o+wcaFdVdSvPrKSyGkZdX8jsOV+/uLzq69DIt4x1HoWxuuwjBwreuRayjbQ4JNGlMOiaLQUGYTHCoqVUKZvXPhnIL8ukV7XuJqGrI/ynRaRzl4HLchlgnPe/fURMEF7l1IozP8jW/nyGnl7c4qLk9DW6cg4RBxak9yzsF4HI3OSxTXBOtU9LGDOmb6zKfQRe9yjF67gx3/un4QPTN3tCrkax5ZKqdCPswiT73I0FeBxAO10pqleS55Z7nK0+Mml0J/Q+gWdhGHv3UvnpB6djPGuacVyeh8tI7hydJ7Ios4nzruBUfO4VjHF1/j1dzb+z6EgB9akLGDcj84qMWWleLT1R1lgX80ZaSgWdB6xcr/EbmRKHVb7B6jQZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNV+KeRszehDrRXFOnpusDbYVLEU58YfhRk/mdlhF5/LW8TyF+Pvl31ZqykwtBh9GjQ+dnfBYhG+uvU7lnj63oDJz4dz9455zpiQVawYZ6eORC+j3ykrSWM6HQYe2Z8iA07dmXGHJd5wbuUe0hUhVOtFxdGFXR8RmVNtWaJu9hu2LJjI6W1kAnCmzXGa5wNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+J39bXBnIgEfyrlrLnQijdivjp42+ZwlVbr0RbdOwgxI5lWENiG+7vD0bKTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnneoJwusA8B+c6XdQzfZ2tarXhNFcdbKOQy0j+u6GngRtoPwOr2v6aLugrc+eq1YaaCxowouLHWNhg2bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk+EDj/b1lvzDeao2km5cXVg1uS0h6Oo2sr1dPK+v/kPMj/U5Hb+8/5NwHYMK3q2TpGueeQ0KxO/nrq0t0OVCoumgk61rrq0v2YxCxsKuphl1GNaTv4w/zudVh5d6JiGwu89QVX4OKu77S4XFBFpcR9WgVv1uCCxlMUHnecQH70mGXQNvEQ9iS5U0oZ8SJV8S2Ggdl4BFe/nhKXrPvskr5TNXTva8+ue45dSAKkjVuKam6XgSX+jWnofLWugvTvsSNCRwhQa94vusQaaor8RozjoeBDNS4whHUVy6oUiOTFtwdOsbXHy/u5o2VwjeAcgHYwZZ8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelxjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/Zv0mWJxabgejKr/OzzBXrqayU+V9zqynPGoYAD8sAubkup7Tefoe+GjgbRj8LcCLkRO4aQpqSCZhbrXegjkzYJnsAF108LPaur3N/70qS3dInJFn0aNdc4myt8iqJ8v/AOiZlABWZioXBB96ZjlFjB1N70fRJ2lMsrWBa9l7lLjm7bAnayzgJIoQPaF6QKWEKkspB2+8a9pxv0ayXAlHwnc8rRUybWs2+fIybJczS3/0ft/2GB+VYzPfs2HF80pMwWHA8m58fWoXY1/LMrBIuCrwvk5LYefiUXexs1GJkUU/fXucezboOgqbKMHERoXcSVuz3MPr/7HSuKProE4G+//fzu9zcfLr791uXcrrHCbJQnN1LdxCxZPnjBfq8X7EbYRp1gWMRWInzNTtwuJc1zgIl9LrYJTJiFVFRoRmIKkI4rKQHGRXwvSCA+EAtotsFsOJz4wd4B6H0eG6i9PrFL1HU1T3QpzDzXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDDVQaX2zS1r34ehcLYsFGHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrtqqzG7y30lYLO/46D0ie5E8CXPUcdx9+Ek5QdLWzsl27NKnpslor7PsoE/mM3C7DTj3cGS6blnNpoiHQdHXAjNuaV03c7nyMuPyvFvbBp24rDlo6DLQwmA8q7DOuc6sinjEfo5JvIZ0a199dCaLohJ9T9QAO3Fc46aHYvee3pq/07BO3eCmj9OsH4rbNRb5v8tw1KzFzWDDjpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGxo65FUWYylTC+fv/uCv3m/KhtUmoYkS+TphJc/+db9KWiaqR3a8VFpmi/U2fa5IaOQ3SLPtRFZ8G0rkZLJxEf0i5QGXuMgAVaHuU4OgTVBIJjD4abxx/QgDlWRYLTsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtF5gdBF3AKqBvBiCa2WEoCV8z8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2TuDWr6O87ERkxKst11L7rHegW8nGRpzsAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KTBvga8xS8wsqsVNLILH5ICqCvf8rA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJsZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+/uEwKN3Bu/Ajt0LsQs7dlVvF/bPCWG/Sgj7XxPC/p8JYf8lDWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMvbxLoJUXF2bIo02jfVsvEfBk7CclDZimUEk2/kPi+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlBbxOIECONNcxSwQazJgnwSrBbgYXUlCRgwvUrS5VEj8L6lSzNiuI8gVtNFmVGeAIftgWcIEgCcNV8a+K7RS1knQRyWWUJYhpEMcMI5gkKiHSGl1SQbcSsqy5sgfn2T5rPU+C9zqANaBLIrh1MGqxdYm0S6PNluX6Vxgetszkzf0nSaIzoLO6suB5gJaOLap3kmgNUSlT8KjftfPzRZm11AFOzcn7++M4RBxzUviTAXTf5eB3kOrAXjNMUNozOFikOkS1iFmfvAk6hG+iMlZCkmCURdaxc/5RrUw6a+UeCrRVJApuzBU1hxmhwNBc0Z9EKRndhM5GGSwqZV5xqIlNQ2wNnywSySZZ6g03Umf8d6KEM8iiAFV0ybRSO7wlpYSfQ+BQtU5FaJaO1hk7kKpF8dZn5jsUTQDeK4iKBIulKgVKhnU653qwk05mbMBsf+hYrnITB85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuj+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRkLm+it2cqdfyWpazUpWKRgXJsmKmiZ59xJmi8FjstVB11ok4DF4pv47u1uHRdT7MFl9Gf8wZ4gpR/a/NGlzoWaAKJY23oBKhGz03gcpmEdcUyyQUupYotwIp5tUxxzQqmSQqxUOgkDJtiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekzBZgsJNPxMntjDwYGNLgzJzjqTo6GKt7YcZWcWq8x+Aprclix4IKKkqlgoLM+i5GwPyJgng+E+v60T26VNvCmgEwEouM6zLiAMDuqAVjg1VUcxT6HeKEqCD6zqaCHh8IlvIcVu4diBLlSfAOL4jUyfwDWvnG06QD6Bp7EQAN/A4gXGi6Zf4DBBq0BoNagJTSrNlAsGry9heNq1IinugSB5dkdaKhLriRgBs4o3Y6sKsdPSummsiYhdKBKfFPhSoa9IZe/tmaeKzlQMaP6LXzPSMDXdbRu/WWuXzJHnoleIJ3sJKU5XlLHbVe5KxFXVkKAUZDNEGF7G9weuMCW3wIoFmsGbKpFDD16VI0LrJSFWJmG7WUFu0QEfRN5WR6EMl0GDpJnsk4bC8z5izHJ0pmjODzrDKfTdDDe3fw+i4yVkJqTQ2IRTAwBB9BP0NiOQoVKrT5EMwkY5yF0XJ5ZYOBgsepN9CVtGaet+RxywNnc8I5p0puqS3qMD9RgttLFYsq/4wkORIcqZhOEO9uj96aKCEdFWWUhk0bDyK0GaFDWIGlYouxljhAWm59xlCESK8tzoaFBATvrP7SF9ozkTqifwdVO1qXTw1MnJJzYqqWft9vZLV4EVDSNA1Vc04IiNRiZWm6B01GCaCu7uKGxI8fSuX+sWVK3t9hs79iK/nyKwCU4qgGfAH6kcfA9oCvafmd2YE1eFzHjJ1EuItYGR3c4tgcbdZTbEiqxkTLIgfzNydoL92T3zCLAxIhnjBcSVg1u+ygjmudRP3cAP3Xr/2PXtK34672VPThNvPLx4x9u1BZBFrmu7WeRWWRR/prYFbMeYumGIa9YhAagfXvYcJ1YKPTLyE7rkJx4FD/1xNDVL0S0W12dO0+/hs5fv3yncqA4zlcas6id33SDV5p7vulH04OYwgNrbzd+jQrl8Hdx5z9v/h+YZ2scvzWijA2mHeAKshXhLvPVnYPi5zrCly6doNNmhwq5pT8r84Db6iGQXfYC6Va18fJCNCWCNNKYw7w/vnVSksNCYTjPcddJh2SwtQe1umIZWCCWj7kC6pKphTN6ZCul3SDeZga8bpkiJO15QjrDVbCndw7bz+MOtDS+YTym9Yfw+nz08y6dliVgn2paL9MYk4fPk6+B7XMfG4KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0aPKi+5tWlhygjxpnigul4xgjiwGI6YPYHFa7GCpkTGNp6NdudrqMHqddLaN7GW1xn7gMWdYZyuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq9kbrqU1xHfu2zkEy9Gv/hcz9EZsm38NoBuw5bUwCOczIouyMlSFxXASN77dWDrz7Jv+WcCMxZ0DYeaf1cvvf/iLtX3PO8dRU+ybINqeT7O4EbO7Om7wlir0r41PTr/waABy4Vsfu/4nPc+LFucdrt97HkcmLx+SbU/6A1PsOjP0/rePF3bvVFHnPAF/ac40UbTEgmytVunVM97PBUFAoefo47vX6FKYH18+R5fvzy/+6zX6dCnMq5/Q081qiwRlZkUVIiup/ag0qRQlBr71w6v//f89exKkCDWrhDKuTw+QqbMCh8fx6MTcd89rfu148bJGKnzF88eFdFc2HcD8yIZxd37gQ/j2FNPWOvnMlKkwR2/fvA8i+6cUNJ0v6zjO+D9S0FmYthbdr0aEwkYOC084gsf4Bu85hyU2dINPMCIduPsKvclzBX5ax+UhdJqnlxTlsXHOh8ZCLs/eXblXaTQ8VmA9YfRjx6nkNFX/dqPLK4vKiPfL0vDISRBRaGjXHqdhrYllbrrWtAKigy7Oc2a/jHkbsO3M8g+/cxMygDUJ4YJLf8PPd1lggEqba51Er7vrk4bRe4/hlVSmEckDoZtDgA0OgJntYcmrJ6a92w8Ty/oxqbf1bozwgobsxqm8uB47sHyx1pIwq3I6v9FAx0FWLisslnTWmE5EigVbVormaL4FmFTkkDUUljPlka0HBkWjI9pycNFFgn4HPKLu3y3hiu4AULSQhmY+szt+nlF80uZCZzhzqfgJQJdGpQG+SMASiwTVwjzFdUjV/6RMQFScZ7UnLp1a3rfg7T5m/dW6zoQTaLAXZkWVoAZ93Jb0OfpUP2NvwQH2I7qqHWCDl+C3MU2tHtUzgTIxYhrXSHu/+HOEOQ8qE2X7RUhwwwoS89ZU2TeQCSORNvCYM4E+XY4KFAIJssnkVXSRbYHKMsHYNwtYUR07o9eCTVDi4l7E2Kno4G9PgK0brZBxKpbRJ0UCzlb5SKiFjmigTuXBvBOAEYhAOsECYfSLVBus8uGcboTeLCHZSyFsb/wt5NLNqdlQKsKqZ+SuifeNcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfw7OCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wd3t4g9VoaRimOFoF80qpF4enH7+q1cysUiPP2dksysaPLj3UH2o13Q3cYO3hcWb4vum8qsqDA+WXwUbV3F7Jxwt4Qet+Q46p80VaMIy8oQOS2l/ZLjCF9XhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/hWClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjNhuQ4S7OXtFszN3J0YTxZv8nSVcYJcG1z1qIS4XQHgOEiFnv/gBCuHy9a1+vEZsS4wmhc5myeiCw+Tld4TWTFWiXRBalkgUbyVCkUyN3IfCcQxHZAp3tx42JdSN2EiLZx3BH60RBBHYwjDpc5ggEA+s3+KU+3c4r2963UbZryywrYfrlbLE1+hzKwDNyjFl/Jy0I3uMlFVQxUm8JCAKJfv3UAmZW8NSGZrshj+yM/DDTRo0HP+s9HdN262R7erl/T169cGsl3FfQNG2McMMKqq1cd9qeoiUdDSL5U4jWFOLgQUDjwQceg7ojax3Tu/tkrPXj3fb0Q6ajDTm989a8w/jQDgd7gx23AuEOwuDr3d3Lg7tTk56du2hR9qYOn1y0XqrTCJADcrwRIF8vO/54+MhijTaY5sjuJh/VpBIk5h27g/yYlB1j7m3AjI1SDyVoPT919MqdyqyygpqVPEGUBO94kpFDw39t9MChl5KSSb1Oe6I6HyT3/lqLyB6+TOQJ+a/Zz99/j56+PX9z9QydM22YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHP97kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreRDzhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1lGqL2Ivb6Y7SVPV2fxRuy76xDW8JWGHf+vdxLBJwNe8I4b2inLyMOuTKlSJgYMQjZAaqmWWLA/92RVi3SscFdiH0HpLk+NkHvBVLCWNFHXn1/scvBauBZfrnfRTlbzrxRzsyJYUVQqmsuCCRwsuOuIpytsGBVGH0yP53jK3b7FJ92sa/1Iy0SMa6/OEyu4SqwMNENqt7pfrE7Y7MgLm7tI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7ErJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPy+mie9BZ2p86NOJfQysFGno4LGijXSRion8S20ghoMqz2Bb83st56Ed1+wPOd0Oin3Dta7q5wLHG9H7h0l5+rxGNNs98qv1ukwJLZ1dPY5Kjm2R2bfZ6kQFURtyzEvP6RCTmBP3iGDTjW25a9SG/QOkxUTIyZdjhNJjm/6tP4kINO/VNSKD6sfuSZneobe5rhEn+EfTj/KpXB1p/8cPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41e43g99MIy99DzxiIStWd4EUbvuuL984nvWWJkC1ZaAPvjnqXTGFKU9pHWZ9Hq9bS+80MbK2oX94mUaqEiJox+rnzcvjIs+ujdRIjZ2HmHkLM/1BYLRhIpcbjXRJCVswYj95HqoT9Hmywwtit+fwbXNu0FPoCEsFaZ8hCF0+61ALVQLe8bd0ickWfdK7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rLmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in75+ftVjYrNmiljuztsLasS36/0/ZM9Jklrq2FVNt0B/5XXWLxt4MdY2pEdruo1+p56GmyZPnrC4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAuXAnHvdrWmubHihHABxddce09/BMFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+krhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+s8Kc7ZgNEfnUPfsnINBVDZ0nhEpb9iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzXPzRL+Ck73h3tfPIz9HFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1BMdalvbR2YKV12jXO5i5zyLpVS1tx9CzB/ejhx5p1dOZHaqaVGmnUO0hxR25YOe+xpNJWUiTWQXKbuOPQ9UYhN2TRKRYR0z2t8BrHw5fWTIleIRj7kDNeKpNMZoVqlY3pAOTE1VhpfxbMoWdPTnaRd01PTHXdCe6xMIFnprqADVKr5xYuFH4+ZG0Vsp2kuVia1RuSWmqCXckbkfYVlQr174/z7zKLzw/+HzmkJuf8ypCmfn+e2cMHruNtMNnoPHtTNqbbCd3A9EsyYVEwuq1EjcdbjvSfbVVfwPkj7onp0Aybov8aJzDIErBWFtmfRKBZaYjP0uXNzest1HyCBW3T/9gw4TtMYHfrJyRdU0/girs/uMp6dnMPrxGTqD9cOoUWUmapYyQuczqvzwT7qThbmnOS9NGjruELJz4HbRJ7rTKXrvSbM/j/VK3r81Svi00TX7M+ytYTeJZMrlPy6QoEtpmDvAcoX1yAQoTaZuK9Q5Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotp6io2O1v1Ew9/Dg6aNlKE6Z1FV3pBMiQLJXOW/ewGApgSJVK6gMdHEpXel7YxdE1BKf3SadJMiSazuA+ivz0GlI79z9GHel5HJL3l557cBwXoVrzbJ3yRe+HVL0jO4hMnlnWw1X0No06FWB2Q71Fnai5wTftuJLugwSy9SekIV4nFbq8fvOPd1foyr5T6DcxMn2lxTZRJfUx2H7cyDC2IIbIipIbfZQT+W5COG0PstDQuaZfZ9MiDNJA/QjCVgru0XKpYoOmkCdQch0eTVeQUaMBcDbYVJNN+Oxiucac5Y4RA0j0BeFkXa33CUKg2A3d6r7YjsT5dQJpZNgrY0qdMZhBmwQ0HGUKghD8CG4TW4q68kUqZrYHbhSRRZG0T9wd8XZ4eIdQuAR/wxTlfUsztotlw7HItD7VwFu7spPhv/vd1jVaQWxdqXFWSjZFWnUIYYcBAgwAqbA1AGQlKyzEoHFG6nZTflVAZCRmO1Hb5uZh8TMPf3/75r1/9170lm8eFCNV3/cfvWcb0zfZWvIqFQHe1HOchZ9z00zGrsf5VoIZjZ46JPQz6NYBhb31RN0eeARIB3fDq0TS7K3H9ZNgxqcLzHaLDtZUQabAouKISEFoaayhfO3OcKS9wmaTUvo6wluDvR6hbREtpTJIWvr++u9vQim4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8/eK3q8sr9A7fFkzkzVjv8LHavU2ehrkzRHFkW34bg93t21ajPoVLFqOnZ7sqx2wxXcHmqYvw6y0nVzt2nGVeKl+e+y69Hou9GPLpDuXEvQLqHRf/7euGm8IckQ81ydi3G/wl1oQ+UXajH1cNVnwT1C1cce9zpKtAijrW6K/aKCmWf5tzTG4404bmf33h//a8+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7b/8/wEAAP//sMlYiA==" + return "eJzsvW2TGzeSIPx9fwUefzhLDnXLlm3tjW52LrTd8rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsNlBs7d18mLCaZCKRSCTyPc/QLd28Qn9UgpVU/QtChhlOX6H/cH9A//Hp/W83/4JQTjVRrDRMilfob/+CEKp/g+aM8lyf/wvy//UKPrX/O0MCF/QVEtSspbo9Z8JQNceEntu/N19DSK6oWitm6CtkVNX+xGxK+sriuJYqb/09p3NccZPBkq/QHHNNOx8P0K3/9x4XFMk5MktaI4YaxNB6SRWFz4zC8zkjaIk1mlEqkJxpqlY0Px/sT2l8j80slKzKw7fSJ+p2WcBaYN7Z3vjqY+uHltguUuhF5++7Vxg/sMGpfFwybb+HmEaVpjkyEhFcmsrTX+E1KqjWeGH/jQ0isqDablraz3ugEXorF+iSEpkDGwc24mCxPlLHbqeGS1dUmMxuLTJgj3Bi6nuSa6A5kcJQYbS9H0xog4Wp0dBBHA0rjkEwx6b/wRA75nCySyBs0HrJyBJhpKnWTAq0ZEYjjN5T8zszgmpdn/75gDWazeqlrHiOBF1RhWa04bsSK03RO2qwRQ2juZJFa6knb+VCP7/G5JYa/XQA/pIpSgzfPEPG443RB+qEheNw0ULzPEhITleUH0FJLkX/fnYoeUlLRQk2HpOczpmgOZKCA1oGzzhFBS7DWBV6kUW7MDvO+J2/51eXP6AV5pW/8SynwrA589xJ7zAxiMuFOy81OAjYHbPgPbfA9+xxlFgZRiqOFfzeH+z5KGcMQB/FKSHOGEAe55TRI1lNeyYv/t+Z7D4Tu2qaA3nY9ZWzPzLYSP9YHg12K3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU5jEitrQ61WNEjInjEEurMdWS4/FyWk7xMdIjLdnmlOYxbagRvSZkZ7a+WLsFLDYDPWSgJDzMiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2QgpiHwds5GO3bEfEzYqlFYdt6l7YZdicEdy+z2/lAr1ZUWHQDQhnVImcKmuCKOoF1WDrc3ZHc6SpsUA6P+6uoccNlvoQBrAfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70WApdSJ9tc2Xv0pt2iKS9zlSU5Ezsag/1CG2afmQvh76smMYbPCjUcJeXa9+QjjPlZWVY9e9T9zB7o38Wom7epmavC//7yWvpVZ62dCXC86R1vaW5QijBVtR0TjJvl5FwJLoOP9FWgskf4zK39cR0Rh1aMhykyn6JcFZt4OHcMCw79kGqPzGLY2u4SI9895sg9HHTUkRwUMJMqOIMrOkCn26EuaHl0gq9AuX2Pz4As2wBi6qA2RztqgUqH579n2MuvsV7xvCoOmMzwj+BfvrhUzlZttlHdcrf/UOBqnWWOXJlLqWRGttu03Jq+vPHX0PI0U57h8pQnqjDS38I+rRttCW1HGqdsSz/5aKLZjAvP5NV1vZQ4dU+teOxIir688vAyTw6A8o8XASNBgNqRzj9dky6lBxPPb1WVKcUzVJ7PpXWApdXT4kSurwbQdLAcxxsdJH7WTjJEvuZ8O1onW1VbTgoljT5UJyTomR6msUwJZ6J8i5sTzHNCKOdDS3mHYU1beyr7agHYR+hBZfQWaPRVUtpIZkt0IKNNsMDg0hRb9UVBsLULOi5Bt/TvbLVtAjiskSaZZT9OR7ZJaqQi9+/vkpWmONNKWiWWUHJR6F8noAJXQphabpSEG+Gq4gshKm8SlUxcwJPXuVdRACeoJnckVbxGAimFlZizdtFMXF6P0hXw3bnJhUNGdVX0+LQahvQppj41hgc8TMP6sX3//wF+1E+vMSBGiN9D8Hu/mntQff4g1V6AV6IwgudcVdZMWalPeS6yHoDwx+BHIrQ6v8+AL9m93uM/Tjj+jfEJHK6suwC7/oM/Q/uPlf9otMoy5RvgkeoZA5fbS2rljTjGDOZ5jcptWAHXJCGrg22Di7whKRiryUTBgwTQwNJzgDc2RUKZkoP22rD+qSEoY5YAyYaiOV1azFxmkd9oMV5ix3jBFCCqG5rERuXxhOAXkmFl452pu82L0RA8gxYoH+OuwIG42cwoZLnD+Wd86jgzT7k6KCGsVIwOrwpnD7y2ALu+e+FsL22cdmq9HKeX1s5+hXubZHM7Q5mUBSWWPMSHRLabmHaI/ixftKiKYkoVpnK5Zneaqo65ta8iyooAobuOS5pWDLLlwxZSrMrdHe8b2LgIuDFcya3RArB2K4XfirfnWJlJXWGhwqQDSsFtQ0X9tLCa0SJT2dnBIuE243JVSSUNBQ8F9d1r7XD7SQhqIbz+9EUXhoZ5sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlzvgJYvR2VWscXV+8vva6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqV2Tflq+5Otwe70HLDMz9GLn1+iNdC9oFggzHnYVwBOfVCTtv4jtKaKOrDYIE6xNkiKXrlIl4gnVxO/biIG7mqKsK2n3e9S5UA4yGqiZCkkl4tNPxA3Z2qgxSL0MyJLrDAxjoj2Um8Af3CaC1QJn9PDOz7z0Yra2AXdLlCfMoiwI3YJFkVhlUwp6jCCwutRmQaStadWYgIaq4tRCO9zkIRUqoaoDRY5VjkSUhWYsz9D+b1SFUH65D7L4WgSyWo2eJLuRaQt1g0yzzmbU9hxwMDXlEiRjyjY2+POtEnpZ9mxISaILEpOTZABRp2oGBR4o1hPDLbqzZQ5ESPf2LWD7DzGyl3OHGW/QgqzjHRM2/rUWDkv2yyn/ESEfyPyFGS3IP+UInW3hR1i0a5eq5guvfZjn8IDEZXsRr9Ght4Zf/nQiirdKqfId+WBBc73ocy2oTjWNrdlekSqnObp3kGfZOOfKd2sWOsYdaZN88V2fH34WilZnAPUCoryNaECKyadWl9U3LAzw6hCuCx5Xf2y7WVTYIEXodJchDiEd2p70SHlcNWImW81kmvhImMGF2XfM+gxtqtZFIe3z2hElsxaNzKn+hy9q7QBM6kN1N5KbEbycrGhRx7STgE2n1u8V3QKTQgOuV7Q0U7ROVVUEMcQ2KrWOVux3Go2wA9hQXZTC7KPPeKFN3lXMjXZDrfn6WJBd5YTmeEbt1lthZ7V1yxSwKC7faMRD33UhfPMSuNGnp0PlmzSyWQVWwIVA0XuoRAb+se+KqBBfqloNRkrWe52XLSVj2usESCRj/ANIPdDbKJGVAo6BE0g0xaFSfD6LooUuJZZAlTLLIX2XMYURV2gL6JDTaArtV6R05iQPfMx+MYMnst7vTnHis19cu2YYMH2geh1Q4jtCMJkoMTHUKx1xVOHnUasKFkZIgv63OHQGC+QlS3nAw7BwpOgY0COMAhdUcVMytKRHRurV/dFgK3Izi6XT9rixUHvQPdKN5UuFhrEnUpK2JxtDZ+wduuCOWM9VbyunD6bKXAAjYuR5duCidpFlfsgSxBvbzZPdQifu1Z62xKUCv1241Njma4TAvp+NVi/PqGxKkldSs0iCo6DeAvMaZG7DlOQyl/f3dEuPBU3WbrWRfcURaIqqGLkvrIouLcJqth2bKxdydbcDCeW3P0ebG1FRS6VT5jduTM5++ME3Wvq0K6c/UFJ2I62iKWvBR+Q20rQ3Yg5SZ+yV903wwvpq/69mPFeriVucouFNAijpe94EU6g5XKR1YkqJxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0Q11h1Jpqs7xgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8WiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOJM0ZKCJbMr+wHMhimfHFIpZS9MY6/ASYIe95y5CFsd/hnsbM3M0ivLTtajS1hwBtUmAklxtpD2v3e8BKCkZAHFMeG+cSsY+BwQsEjKObLSwTCqz9HNVqb0Bxu0K6vSYHzhyvkqbY0YVzLqkm1yL3494TEivNKmZkj/j8ExwU+Ytifpa6K9f8MqvvDpuAo0ufbjbljYondtmdIpZd/uM7wslpeABcJaS8LAX2pPI2hPwoG9Zbf0FcKoXG40I5ijnOnbZ6hUMBPlGaKGfBtWlLHCx9Re3vOhd3U2ChfUUKVRiTV08dLQyMH1IiCyKKwUk52g/bC0hhqyU91z78GpNL7WGSZ4mJz4JrIoq+EdTHBsGK2ZyOXa59MSKQgtzbMmk2KUGINtzivON+hLhblzfuaywEx4qSFaC3E58nS1vZ6x1KUdW7cq4Vsmbmnua4HqRHSswTvlDRT7yTcNaucs33VwfNAVIqmoa092cm6JPgI1ejDS6iR4/VZ6zyu6GbbraYLOVBWsP9gptYvVrwnYOv7frWn/GFnTnjOe/o43W/4FVmuusaJ5RSiqI0c07G7TVDHMs8BrmuwRuYEla7W5/z62HkD7woz6BSi51Ue1HIjhMfar24duifWyuaFWLQxUGVZk6TJ/6xqbpszwoobUaxFmN9Isc64Vsb9q/j2sNEVWngvEIOeuEoRTrOyfoBHeFjVfQOi9naou7NwffXDCrxr2eXrULxaRxYyJpm92+8HyZaPqHq/XiqlKT+3pa2sjgMC4x2+aAGngSly41V1PxnFPqbPgkrvGG/I5L/PVJXrvJM0T37gBuWl7vujX4vY0rFc7B/QpfPkt9/PVJZDUl7w1YmLoPehG5FwaoNvCuWMiKwvWTIeN1JXepOxl343q+gJtpy7s9GMLZ3xPyDWW9BfNwujqcq8mG8s/t0eTtYi9EPlWoz1HF64+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+tpLIaRl1fyOw53zy/uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9d+O5Bflkmva91NQldH+E+LSOsuA5flMsA473/7iJggvMqpFWd+kK39+Tl68uYOFyWnr9C1c4g4sCC9z8N+EYjMTR7bBOfU9mkJY8b0rVW5j8DrHqV4LTfme/80fGD6dkfI1Si2WFCVboRdmGSf27EAjwNop0tF9VLy3HKPs9VHJo12Qu8TeBaGsXcvlZ98cDrG06YZx9VluIzk4Og8kUWZTZx3Bafic69gjKvz7+lqdmbRkQLqU+cwbkbmFRmz0rxaeqKssTbmjbSUCjoPWLle4zcyJQ6rfI3VaTL0hl31rXTF/iGymxhpjfzEClGM3mFS91MOK7dWBE1qx0hxViuoarcUcrZm9KHWimIdPTdYG2yqWIpz44/CjJ/M7LCLz+QdYvnz8ffLvqzVFBhajD4NGh+7u2CxCF/d+h1LPH1vwOSXw7l7xzxnTMgqVoyzVUeiF9HvlJWkMZ0OA4/sT5EBp+7M2GGJ15xbuYd0RQjVel5x9Mauj4jMqbYsUTf7DVsWTOT0LjIBONPmOM3zgbIFFgZTTNVIzKiC+GaBFeOQwRPw4Ln4u1ggDEQ8s78N7kwk4EM5c82FTqQR+9XRkyafs6RKl77o1kmYAcm8irBNiK87PD0dKTJ0bq7he5w6ocQpX02Sl/dVuW/bDzETGuXUYMYDToaZrEzrdyNbk3zy3MzaY4ubPDbAY/whNbQoebJsntcop3PsQ0C+82Udw/fZmlYrXlHF8QYKuYz0jyt6EriR9gOwuv2v6byuAne+em2YqaAxIwpubGsbDBs2PfS6Ro1itfw7BMfGNIGsIrIo7H1Kw0YXDjpirWTfUskVy53/rO4iV1A9mgiVS3J8oPH+3rJfGN9qjaSdlxdWDe5KSHo6jayvV08r6/+QsyP9Tkdv7z/kzAdgwrerZOka515CQrE7+ZvrK3Q1UKjaaCTrWuurS3ZjELGwq6mGXUQ1pO/jD/O51WHl3omIbCbz1BVfg4q7vtLhcUEWlxH1aBm/W4ILGUxQed5yAfvSYZdA28RD2ILlTShnxIlXxLYaB2XgEV7+eEpes++ySvlM1dO9rz+57jl1IAqSNe4oqdpeBJf6NaOh8ta6C9OuxI0JHCFBr3jedYg01ZV4hRnHw0AGalzhCOor51SpkUkL7g4d4+uPF3fzxkrhG0C5AOxgSz7dQLPF+YhEZEU2q/J8E90/w4osah1QC26l6XGNznd6qeJDVExG7HLQK7HLdDVFQQLT7exV13MVVzkzTWXdti+axyg02G5bseFEyTa8sHuTLkssNgVXk1nlF5/foCe+VuJzxa2uPGMcCjggD+zNXSm1/eZTdDZ0NIh+FOZWyLXoGEKakgqaWay60EcmbRI8gQuunxZ6UVe5v/elSW/pApMN+jRqrnE2U/gURfl+4Q6JmUAFZmKucEF3pmOUWMHU3vR9EjrK5TUsi97L3CVHb9sCtrLOAkihPdoXpApYQqSykLp9497TNfq1EmBKvpM55egJE6vz754hJskzNLP/R+3/YYH5RjN9/l04vmhImc05HkzOj61DdTX8i2sEi4KvC+Tkph5+Jec7GzUYmRRT99eZx7Nug6CpsowcRGhVxJW7Pcw+v/sdK4o+ugTg7777/O731x/efPedy7ldYYXZKE+upbqNWbK894L9Xi/YjrCNOsGwiK1E+JqduF1KmucAE/tcbBKYMHOpqNCMxBQgLVdSAoyL+F6QQHwgFtBsjdlwOPGDvQPQ+zw2UHt9Ypeo62qW6FKYWa6Nil35DvXayRxi7bc02jta13ykc5IeW+yyHQw2UGl8scm27sXXu1gQczbqaKq3mswRe+xWg92IAtvsl/eEhfLR/QTv77iwyHv9/8Nw1a3K7Cb/nYTF8paP3iOyE8mTMEcdx92Fn5QTJG11TrZllz4xTUZ7nWUHfTKfgtttwLn7I9N1y2o2RTwMir7mmHFL67qZy7WXGVeX7do26MRlzUFDF4EWBuNZhXXOdWZVxCP2c0ziNaRb++qjC1kUleh7ogbYieMaNz0Uu/f0zvydhnXqBjd9nGb9UNxusMj/XYajZlvcDDbsGMnwYOyGC3eQ05UuGWEyWpboVBY8YL/GSgyDDo8ddS2KMpOphPHN+3fX6DfnR90mpYYR+TJpKsHNf75FXyqqRnq3VlxkivY7daZNbmg5RDfoQ110FkzrarR0EvEhbQOVsccIWKDlUY6jfVBNIDj2YLh5/AENmGNVJDgtCzaBewGXEQuQG6BVHm0qbQdm3G5XHdA5Nn2t8KFwZ1SQZYFVrLKSBu6mxIPxxQ+OPmEySKeKAjNbRucFQudxC6gawPMFtFpKAFbO/kgAtcTRJ2G4jlPR2QuC7hmL/eD4zm0FtapndKRFhgkMRolffmJhaxHReG8Bni3K1U/iziyjv+9EZMSoLNdR+663oFvIx0WeDgC84ji6xBAZFQsmIhZFDkGnyI0W2TzTa2ZIdPkhsjmXa42L+LkrbdjCrNJBTxB1ISJjIqU4YaKkqphtoiW8D2CX5DYN8BXmKXiFlVmppJFZ/JAUQF/9lIHHMT5snuxucrnI8hTEtoDj578RkRX4LjMmltugC9hyNKcJHoWCiURIM5EO6ZLrjM94Fjss2oH9fULg0TuDt2DH7oXYhh27qrcN++eEsF8mhP2vCWH/z4Sw/5IGtpElxzOaQqQ00OObZyIrKg7K92yT4J2sgZe3CfSSouJsUZRptG+rZWK+iJ2E5CGzFEqJpl9IfN+IyLRLSExwglqRNNakBZzGmtQbXZUJZpES0ZRVJzFVjTTW9KB3CUSIkcYaZqlgg1mTBHgl2J3AQmpKEjDh6qWlSqJHYfVSlmZJcZ7ArSaLMiM8gQ/bAk4QJAG4arYx8d2iFrJOArmssgQxDaKYYQTzBAVEOsMLKsgmYtZVG7bAfPMnzWcp8F5l0AY0CWTXDiYN1i6xNgn02aJcvUzjg9bZjJm/JGk0RnQWd1ZcD7CS0UW1TnLNASolKn6Vm3Y+/miztlqAqVk6P39854gDDmpfEuCum3y8DnIt2HPGaQobRmfzFIfI5jGLs7uAU+gGOmMlJClmSUQdK1c/5dqUg2b+kWBrRZLA5mxOU5gxGhzNBc1ZtILRLmwm0nBJIfOKU01kCmp74GyRQDbJUq+xiTrzvwU9lEEeBbCiC6aNwvE9IVvYCTQ+RctUpFbJaK2hE7lKJF9dZr5j8QTQjaK4SKBIulKgVGinU67XS8l05ibMxoe+wQonYfB8pBA2BuSVm28fGy7TBovoc45zbWaVijUssIZK3aygFFCr6LjG16PrmuTYYGFywzz+sOtjOw3sgrnAeR77DrA8dli1bh2U4C1iRUaUlEWSrkQWcAIzjRVZmuRI3/EoBZnL2+jtmUodv2UpK3WpWGSgHBtmqujZZ5wJGq/FzhaqjjpRp4ELxbfx3Vpcuq6n2ZzL6M95AzxByr+1eaNLHQs0gcSxNnQCVKPnJnC5SMK6YpHkApdSxRZgxaxapLhmBdMkhVgodBKGTTEHQlADzZWiw40uw10D6NgZfw5q7HQ8sV7HtkCSVJRJNwA6uiUq42tGUrFFFpjH9WC4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8U+FKhr0hl7+2Zh4rOVAxo/otfM9IwNd1NG79Za5bMkeeiV4gnewkpTleUsdtV7krEVdWQoBRkM0QYXsb3Bq4wJbfA8gWawYsqkUMNXpUjQuslIVYmYbtZQW7RAR9HXlZHoQyXQYOkmeyThsLzPmLMcXSiaM4MusMp9N0MN7d/D6LjJWQmpNDYhFMDAEH0E/Q2I5ChUqtPkQzCRjnJvipLLDR0MFtxLv7msojX1PpDHLA2dzwjmnSm6oHeowP1GC9tYrFhU/WEgyZHkTMNwhnp1f/TQQAnpqiylMmjYeBSh9RIbxAwqFZ2PscID0nLvM4QiRHhvdTQoICZ8Z/eRvtCcidQT+Vuo2tXaeGpk5IKaJVXn2+/rpawGLxpCgq6oasYRGYlKrDRF76jBMBHc3VXckODJW7nQz69d2etTdOlHfD1DZhmYUgTNgD9QP/oY0BboPTW/MyOoDp/zkKmTEG8OI7ubWwSLu81qihVZnjPBgvjBzN0J+mv3xCfMwoBkiOccVwJm/S4qmONaN3EPN3Dv9Wvfsaf07bibPTVNuP384hFj3x5EFrGm6bDOq7As+kjvDNyKMXfBFNOoRwTSdnDde5hQLfjIxEvonptwHDj0z9XUIEW/VFSbHU27j89Wvn+vfKcywFget6qT2H2PVJN32nWn7MLJYQSxsc7foUO7fhXceczZ//vnG9rFri5roQBrh3kDrIZ4Sbz3ZGH7uMywpsilazfYoMGtak7J/+I0+IpmFHyDuVSufX2QjAhhjTSlMO4M755XpbDQmEww3nfQYdotLUDt3TINqRRMQNuFdElVwZy6MRXS2yXdYA62YpwuKOJ0RTnCWrOFcAe3ndcfZn1oyXxC+Q3r7+D02UkmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLE6LHSw1MqbxdLQrlxsdRq+VzraWvazW2A885gzrbCmT2wTOiGvMNZilsh1qZKViewRPuB8AcpfGYgtvmh/EQjjF6vw119Ia4p37dgnBcvSr/8U5ei02zb8G0A3Y8loYhPNzIouyMlSFxXASN77dWDrz7Jv+WcCMxc6BMPPP6sX3P/zF2r6XreOoKfZNEG3Pp1nciNmhjhu8oQr9a+OT0889GoBc+NbHrv9Jz/Nii3OH63eex5HJy/tk27f9gSl2nXP0/rePb+zeqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Qx3ev0JUwP754hq7eX775r1fo05UwL39CT9bLDRKUmSVViCyl9qPSpFKUGPjWDy//9//39NsgRahZJpRxfXqATD0vcHgcj07Mffe85jeOF69qpMJXPH9cSLdl0x7Mj2wYd/ADH8K3p5hurZPPTJkKc/T29fsgsn9KQdP5so7jjP8jBT0P09ai+9WIUNjIfuEJR/AY3+Ad57DAhq7xCUakA3dfo9d5rsBP67g8hE7z9JKiPDbO+dBYyNXFu2v3Ko2GxwqsJ4x+dJxKTlP1bze6uraojHi/LA2PnAQRhYZ27XEa1ppY5qZrTSsgWujiPGf2y5hvA7atWf7hd25CBrAmIVxw6W/4ZZcFBqhsc62T6HWHPmkYvfcYXktlGpE8ELo5BNjgAJjZ7Je8emLau/0wsagfk3pb78YIL2jIbpzKi+uxA8sXay0Jsyqn8xsNdBxk5bLCYkHPG9OJSDFni0rRHM02AJOKHLKGwnKmPLL1wKBodERbDi46T9DvgEfU/dslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTA5wlYYp6gWpinuA6p+p+UCYiK86z2xKVTy/sWvN3HeX+1tjPhBBrsG7OkSlCDPm5K+gx9qp+xt+AA+xFd1w6wwUvw25imVo/qmUCZGDGNa6S9X/wZwpwHlYly+0VIcMMKEvNWVNk3kAkjkTbwmDOBPl2NChQCCbLJ5FV0kW2ByjLB2DcLWFEdO6PXgk1Q4uJexNip6OBvT4CtG62QcSoW0SdFAs5W+UiohY5ooE7lwbwVgBGIQDrBHGH0i1RrrPLhnG6EXi8g2UshbG/8HeTSzahZUyrCqmfkron3jXFLg3k7VOeQQdAyHjIjBjtkwue5QlpCwYwVS37ERniLK47FFHH8AxyUdYJIy0U52GDXZbmNpKysBbsAA7b78sSOVFICXQhW8frBHRaxx8owUnGsEPSLRjUST97cvXorF3I+D09/pyQzS5r8eDvIfrQLutvYwvuNxdui+7oySyqMTxYfRVtXMTsnHJbQ45YcR/2TpmoUYVkZIqeltF9yHOGbihCq9QjO0Hn8uOZoxyWeAF7IqrgLqTYoUJgwwG0K4dTBkfZwtFIJAny6lMK+K1ZuhZTD5odooCh1d7WK149u5N3EyHUthZoBzmje7Mf7YXr6MBNIM1MF5CeC4gLqRbSHusQa4VyW9nUxS8oUkmuxPTJHOIPvpJDFSF4tzOTQzLWon1aJsMo9E7mVP1LphgAY/cI4Ra89YucDMhzi7BXNxtydHE0Yb/Z/knSFURLc+KyFuFQI7TFAiJj17g8ghMvXu/H1GrEpMZ4QOpMpqwcCm5/RJV4xWYF2SWRRKlmwkQxFOjVybwSecSgim6OL3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekx/OtVHjwc96T8e03TrZnl7s3pNXL9xaCfcVNE0bI9ywgmor1522p2hJR4NI/hSiNYXYexDQePCBx6AOZK1jenefjLV+PGxPP2Q62pDTg7fmHcb7djjYG+x4KxAOEAZf7+5e7N2dmvTs3EWLsje1/+Si9VKdRoDskeONAPl62fHH/UcWa7TBNEd2mHxUk0qQmHfsAPkxKTvG3NuAGRulHkrQen7q6JU7lVlmBTVLeYIoCe54kpFDw39t9MChl5KSSb1OO6I6HyT3/lqLyA6+TOQJ+a/zn7//Hj15e/n6+im6ZNowsaiYXtIcSuGDuHC5kMn7Au2KhEG27Nzh4Y8ZvjiSMaZkYq/irvpPe6ohDJobAx75aEOf73NdCKT9N3W/Lccf4BSKmWIRapO+zRTDPFZ3ut5GPuCcVdqtgKRCmhWMY+XEkxWb9g4ReNfD5VVwzzXLp+w00s6U/2QZofYi9vpibi95ujqL12LXXYewhq80bPl/vZMIPhnwgnfc0FZZRh52ZUqVMjFgELIBUku1wIL9uSOrWqRjhUOJfQSl2zw1Qu45U8Fa0kRdf36xy8Fr4Vp8ud5FnazmXynmZkmwoqhUNJcFEzhYcNcST9fYMCqM3psez/GUu32LT7pZ1/qRlokY116db63gKrEy0Axpu9XdYnXCZkde2BwiUec0pwobmmfRksp28IcVPr/UKzbBs2slVyxvmof57+Gy5F5THTCGb/5jn7WuThtWcLabZPlEu2yW9L3+zGZkm8HhoZA5uWIuer7sK+4jLeAapTPmUPD7ap70DnSm1o9aldCLwEadjgoaK9ZIG6mcxLfQCmowrPYtfOvcfuvb8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efoZJje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU50+fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/a14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJs1CdoM+THV4Quz2H7zbnBj2BjrBUkO0zBKHLpy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77WsewNbH+8COtzNNA67JmDQPZttQqY7hsEJhRtS7C9+hrKBmCMBRyvcYMs5nTPhffUgnKCrX4HLkaaDgN1RhWKJcNs6YHrqX2zB2PhsU+/d91Ia6U3Z+LCNwWRZTNwCf7sqEBwNrKP2cSQZ8jJjIt4Esah3w24ZigrTPp4BIdUu24FjcW20t+X9gamdA6zTvn17sC6xqnnK/vnZdivrJRu0Ukf2dlhb1iW/H7Q9E31miWtrIdUm3YH/VZdY/G1vx5gakW4X9Vo9Dz1Nlix/fQ7Q9+ztZCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew8vZFFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0CXXPzjkYRGVNZxmR8padKOj+O50ht/7WfsZ8TJuP3m12Gw4vKwMq95EjTPff9Q/NEn7KjndHO5/8Ofq4Kd3Wt54DSxx3guOHp+g8i9pMtoe2xcE5ItS3OtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tVz/98XHoXn/j98XlPI7Y85VeHsPL+dE0bP3WbawXPwuLZGrQ22k/uBaNakYmJOlRqJuw73Pcm+2or/XtIH3bMTIFn3JZ63jiFwpSCsLZNeqcASk7HfGxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+nJBYx+fIouYP0walSZiZqljND5gio//JN2sjB3NOelSUPHLUK2Dtwu+q1udYreedLsz2O9kvdvjRI+bXTD/gx7a9htIply9Y83SNCFNMwdYLnEemQClCZTtxVqHaVbfHy4oD3qZBOgBgkuPR6rG6fX9TfhhBTNFlNUVHT7GzVTDz+ODlq20oRpXUVXOgEyJEul89Y9LIYCGFKlkvpAB4fSlp5v7OLoBoLTu6TTJBkSTWdwH0V+cgOpnbsfo5b0PA7J+0vPHTiOi1CtebZK+aL3Q6rekR1EJs8s6+EqeptGnQowu6Xeok7U3OCb7biS9oMEsvUnpCFeJxW6unn9j3fX6Nq+U+g3MTJ9ZYttokrqY7D9uJZhbEEMkSUlt/ooJ/JhQjhtD7LQ0LmmX2fTIgzSQP0Iwq0U3KHlUsUGTSFPoOQ6PJquIKNGA+BssKkmm/DZxnKFOcsdIwaQ6AvCybpa7xKEQLFbutF9sR2J8+sE0siwl8aUOmMwgzYJaDjKFAQh+BHcJrYQdeWLVMxs9twoIosiaZ+4A/F2eHiHULgEf80U5X1LM7aLZc2xyLQ+1cBbu7KT4b/73dY1WkFsXalxVko2RVp1CGGHAQIMAKmwNQBkJUssxKBxRup2U35VQGQkZjtR2+bmYfEzD39/+/q9f/ee95ZvHhQjVd/3H71nG9O32UryKhUBXtdznIWfc9NMxq7H+VaCGY2eOCT0U+jWAYW99UTdHngESAd3w6tE0uytx/WTYManC5x3iw5WVEGmwLziiEhBaGmsoXzjznCkvcJ6nVL6OsJbg70eoW0RLaUySFr6/vrvr0MpuEGyx+Y7qRbTJ1j2Cww6LtYZds1Ogo1i/v7mt+ura/QO3xVM5M1Y7/Cx2r1NnobZGaI4si2/jcHudm2rUZ/CJYvR07NdlWM2n65g89RF+PWWk6sdHWeZl8pXl75Lr8diJ4Z8ukM5ca+AesfFf/u64aYwR+RDTTL27QZ/iTWhT5Td6MdVgxXfBHULV9z7DOkqkKKONfqrNkqKxd9mHJNbzrSh+V+f+789az5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPG8maZ23rv847iP4Z3TOa64yeBOvEJzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEmJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnryVi7082uXVPt0AP7Sp4Nt1QqMPlAnLByHixaaI51k6CqJC+dh0eZCL9Iqz/6M3/l7fnX5gw+4uLZvW+saegLcYWIQlwt3XsO+NrA7mGTtuQW+p7tzh+zv/cGej3LGAPRRnBLijAHkcU4ZPZLVtGfy4v+dye4zsaumOZCHXV85+yML9rp6NNitUoVKH4aaoimzYh9OtlT3/2GYge2XruD+YcjhKmcmg37UjxG9ruH0iBBbRpyoGxUxJo5DLK3GVEuOx8tpOT1qWGxass0pzVMXgYyHLdptE10jSZoP9JCBkvAwK6Knhwyg77Eixqk4fZ15fzBukHyOXINtRiIfClDw3uQjU6jVPjrQqNGq2b//06Zr1F5IQezjgI187JbtiLiBJnUJxWGbuhd2GZf80rrPb+XCj3X1VQzQS86aIIp6QTXY+pzd0RxpCpN2Oz/urqHHDZb6EAawH2ywNIcwAH2vQxl6AuP7l45jzMG+7kGT+9EgYouFHXz5a51X6jmS9zlSU9F0HuZyoUNs0/IhfT30Zccw2OBHo4S9ul79tO0HOHLd+8Qd7N7Ir5W4q5epyfvy/17yJq598jTuywXnSGt7y3KE0YKtqGicZF+vImBJdJz/Iq0Fkj9G5e/riGiMOjRkuckU/ZLgrNvBQzhg2Ldv5vfG9xS7hov0zHuzDXYV1gQPJciM1smjn66E+eElkgr9wiU2P77opnkRKeZsUanx/Jbtvo9Rd7/ifUMY9LGWTYJlPEHPjLHsmLqa6Gt3MEi1xipPptTtnlTvFJLPHX0PI0U5Hqamudaq/hH1aPtmmMCpetvlQyq2YALz+jddbWUPHVLpXzsSI66uP78MkAAFu8miCCRoMBpSOcbrs2XUoeJ47OuzpDhPWF7fMe1gKXR1+ZAoqcO3HSwFMMfFSh+1k42TLLmfDTc5uFtFCy6KNV0uJOfQN/VrFMCWeifIubE8xzQijnT1eLiWovpWDsdZjBP6EVp8BZk9FlW1kNrUhXuzzeDQmklcFqBmRck3/pzslyGZmWKyRJrlFD35HpmlqtCLn39+itbYjxKqV9lBiUehvB5ACT9XJxkpyFfDFW6oSu1TaPqu2qusgxDQEzyTK9oiBguX6NTiTRtFcTF6f8hXwzYnJhXN2VFNE/YR6puQ5tg4FtgcMVP3/QGR/ty1Ca2RHo6z+ieCepENVegFeiMILnXFcdOs7F5yPQT9gcGPQG5laJUfX6B/s9t9hn78Ef0bIlJZfdn1HKiHqf0Pbv6X/SLTqEuUcPsLIXP6aG1dsaYZwZzPMLlNX/qUUyFNPRoN7ApLxLrmBUyTsal0wBzJmxkBy0DDbcwBYzfH3khlNWuxcVqH/aDVjCKEFEJzWYncvjAcBjJo6AhwWPJi90YMIMeIBfrrsCNsNHIKGy5x/ljeOY8O0uxPGEapGAlYHd4Ubn8ZbGH33NdC2D772Gw1Wjmvj+0c/SrX9miGNicTSCprjBmJbikt9xDtUbx4XwnR3GCKbJVy4PmbWvLAWCo3n1rAJP6WXbhiCkamXl12fe8i4OJoz3QHYrhd+Kt+dYmUldYaHCrD2SKj0/8bSiSrZz45JbrzSEby5ZKEgoaCf9v86gN0w29mNBNFsR8ENCIo7f/qQMxXEHjxK2W65Cx195JHa85rlqoQ9oEp0sc1jTqU3+HW2Tegngjkua62WvwT8t8jwujEy2Bc0CQxehgBJBW6vnh97XVfgoUlDytKqfoaL4In8qtLg6geh/vjk3uqwBAPjbpFQ1O+2v5ka7A7PQcs83P04ueXaA10LygWCHMe9hXU1c9ztPUfoTVV1IHFBnGKtUFS9MpFukQ8uZr4dRMxcFdThG097X6XKgfCQVYTJUshuVxs+oG4OVMDLRahnxFZYoWJcUSk0L7IYuEmuKNK+Jwe3vGZj1bUxi7odoH6lEGEXdMWrEVRWCVTijqMoPB6VKaBZO2plZiAxupiFML7HCQhlaohaoNFjlWOhFQF5uzPUH6vVEWQPrnPcjiaRIfNwttBpC3WDTLPOZtT2HHAwNeUSJGPKNjb4860maChfWhDTBBZlJyaIAOMOlExKPDjjaa1wcqciJFv7NpBdh5j5S5njrJfIUX0Tsj5IEHiwU0PRH4iwr8ReQqyW5B/SnGi7jn16rWK6dJrP/YpPBBRyW70awTDuP0Ict8Ot8Yu35UHFjjfhzLbpj8K/OEgFSVS5TRP9w76JBv/TOlmxVrHqDNtmi+24+vD10rJ4hygVlCUrwkVWDHp1Pqi4oadGUYVwmXJ6+qXbS+bAgu8CJXmIsQhvFPbiw4ph6tGzHyrkVwLFxkzuCj7nkGPcT01aXj7jEZkyax1I3Oqz9G7Shswk9pAXfeskbxcbOiRh7RTgM3nFu8VnUITgkOuF3S0c0PTBHEMga1qnbMVy61mA/wQFmQ3tSD72CNeeJN3JVOT7XB7ni4WdGc5kRm+cZvVVuhZfc0iBQy62zca8dD3dPuu5dn5YMltd7UqtgQqoo/ibOgf+6qABvmlotVkrGS523HRVj6uMYw9rdoNuNpoloBcrFEPDVEjKgUdgiaQaYvCJHh9F0UKXMssAapllkJ7LmOKoi7QWKM+tlAT6EqtV+Q0JmTPfAy+MYPn8l5vzrFic59cOyZYsH0get0QYjuCMBko8TEUa13xEzXNl5UhsqDPHQ6N8eIHuAw4BAtPgo4BOcIgdEUVM6lbg451n/ar+yLAsdGkPZfPxIPb3CvdVLpYaBB3cqPut4ZPWLt1wZyxnipeV06fzRQ4gMbFyPLBZNhmEmwQ79AUmYSH8LlrpbctQanQbzc+NZbpOiGg71eD9esTGquS1KXULKLgOIi3wJwW+ba7cHN3R7vwVNxk6VoX3VMUiaqgipH7yqLg3iaa/HxAJVtzM5xYcvd7sLUVFTnMSd4rt+TsjxN0r6lDu3I4nbaNWPpa8AG5YR7wTsScpE/Zq+6b0UmwXsx4L9cSN7nFQhqEm0lq4QRaLhdZnahyEqFeM+K9hfoUPVM6su/vkG4FXauHbb8bxV9yRjZTTNsZkQvXgIBvri34ZkQuVzxl3nSYgB8q3/w/LE6lMPQutcbaIHS1HRVQV1flubb/B48q5jVCoQYwex5nssRiQTNB16llwVjgkq5boX5QQoxRbFYZ2pIQwxx97VC32nr7+RsZSlziaMKuoRwfTOiY5OaAIdjPL3LItPW3gHELFWCWYHXDQb3N+VIrqs7RDXWHUmmqzvGCQitvn+k+l6rGYQC7BuP0dgK/R+73rb4VUqGZkmv7Wf1XUs9xtGbXaD/pq/waKxPbTdcAju1R8XdKDqpDp7pTkufbGaSJrpQsqQ8opnqLXwuEOVWmyS5S20X931x4y4uPVhMASEIKKMw5ElKcKVpSsGR2ZT9MMRel20c/NA3F6XHPmYuw1eGfwc78UI2trEeXsOAMqk0EkuJsIe1/73gJQEnJAopjwn3jVjDwOSBgkZRzBBPmGdXn6GYrU/qDDdqVVWkwvnDlfJW2RowrGXXJNrkXv800E8IrbWqG9P8YHBP8hGl7kr4m2vs3rOILn46rQJNrP+6GhS1615YpnVL27T7Dy2J5CVggrLUkDPyl9jSC9iQc2Ft2S1+1BhnC4MJnqFQwE+UZooZ8G1aUscKxBlbvCWLBUtRQpVGJNXTx0tDIwU+TlkVhpZjsBO2HpTXUkJ3qnnsPTqXxtc4wwcPkxDeRRVkN72CCY8NozUQu1z6f1k+bfNZkUowSY7DNecX5Bn2pMHfOz1wWmPlBvLDveiEuR56uttcz0QD7wWg4Jm5p7muB6kR0rME75Q0U+8k3DWrnLN91cHzQFSKpqGtPdnJuiT4CNXq/3ZwKr99K73lFN8N2PU3QmaqC9Qc7pXax+jVbY/J2a9o/Rta054ynv+PNln+B1ZprrGheEYrqyBENu9vcTP0s8Jome0RuOmP8++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoML2pIvRZhdiPNMudaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYT15Ne6sHN/9MEJv2rY5+lRv1hEFrNmfO+882D5slF1j9drxVSlp/b0tbURQGDc4zdNgDRwJS7c6q4n47in1Flw0w2udV7mq0s/ghs98Y0b6tmUrujX4vY0rFc7B/SpBvx79/PVZXu+ayMmht6DbkTOpQG6LZw7JrKyYM102Ehd6U3KXvbdqK4v0Hbqwk4/tnDG98Tjji+ahdHV5V5NNpZ/bo8maxF7IfKtRnuOLlx9pu93yt0Hu7VZQFB1v/HDN94dN6tMU7kpTfMYVYJT7Sgj3YOylmiFFcMzPqgCdE0ZmEAlxyOCQFOhk/ZH6RxoW1V1K59bSWU1jLq+kNlzvnl+dd3XoZFvGes8CmN12UcOFDy4FnIbaXFIoith0A1bCAzCYoRFS6lSNq/9diC/LJNe17qbhK6O8J8WkdZdBi7LZYBx3v/2ETFBeJVTK878IFv783P05M0dLkpOX6Fr5xBxYEF6n4f9IhCZmzy2Cc6p7dMSxozpW6tyH4HXPUrxWm7M9/5p+MD07Y6Qq1FssaAq3Qi7MMk+t2MBHgfQTpeK6qXkueUeZ6uPTBrthN4n8CwMY+9eKj/54HSMp00zjqvLcBnJwdF5IosymzjvCk7F517BGFfn39PV7MyiIwXUp85h3IzMKzJmpXm19ERZY23MG2kpFXQesHK9xm9kShxW+Rqr02ToDbvqW+mK/UNkNzHSGvmJFaIYvcOk7qccVm6tCJrUjpHirFZQ1W4p5GzN6EOtFcU6em6wNthUsRTnxh+FGT+Z2WEXn8k7xPLn4++XfVmrKTC0GH0aND52d8FiEb669TuWePregMkvh3P3jnnOmJBVrBhnq45EL6LfKStJYzodBh7ZnyIDTt2ZscMSrzm3cg/pihCq9bzi6I1dHxGZU21Zom72G7YsmMjpXWQCcKbNcZrnA2ULLAymmKqRmFEF8c0CK8YhgyfgwXPxd7FAGIh4Zn8b3JlIwIdy5poLnUgj9qujJ00+Z0mVLn3RrZMwA5J5FWGbEF93eHo6UmTo3FzD9zh1QolTvpokL++rct+2H2ImNMqpwYwHnAwzWZnW70a2JvnkuZm1xxY3eWyAx/hDamhR8mTZPK9RTufYh4B858s6hu+zNa1WvKKK4w0UchnpH1f0JHAj7Qdgdftf03ldBe589dowU0FjRhTc2NY2GDZseuh1jRrFavl3CI6NaQJZRWRR2PuUho0uHHTEWsm+pZIrljv/Wd1FrqB6NBEql+T4QOP9vWW/ML7VGkk7Ly+sGtyVkPR0Gllfr55W1v8hZ0f6nY7e3n/ImQ/AhG9XydI1zr2EhGJ38jfXV+hqoFC10UjWtdZXl+zGIGJhV1MNu4hqSN/HH+Zzq8PKvRMR2UzmqSu+BhV3faXD44IsLiPq0TJ+twQXMpig8rzlAvalwy6BtomHsAXLm1DOiBOviG01DsrAI7z88ZS8Zt9llfKZqqd7X39y3XPqQBQka9xRUrW9CC71a0ZD5a11F6ZdiRsTOEKCXvG86xBpqivxCjOOh4EM1LjCEdRXzqlSI5MW3B06xtcfL+7mjZXCN4ByAdjBlny6gWaL8xGJyIpsVuX5Jrp/hhVZ1DqgFtxK0+Mane/0UsWHqJiM2OWgV2KX6WqKggSm29mrrucqrnJmmsq6bV80j1FosN22YsOJkm14YfcmXZZYbAquJrPKLz6/QU98rcTniltdecY4FHBAHtibu1Jq+82n6GzoaBD9KMytkGvRMYQ0JRU0s1h1oY9M2iR4AhdcPy30oq5yf+9Lk97SBSYb9GnUXONspvApivL9wh0SM4EKzMRc4YLuTMcosYKpven7JHSUy2tYFr2XuUuO3rYFbGWdBZBCe7QvSBWwhEhlIXX7xr2na/RrJcCUfCdzytETJlbn3z1DTJJnaGb/j9r/wwLzjWb6/LtwfNGQMptzPJicH1uH6mr4F9cIFgVfF8jJTT38Ss53NmowMimm7q8zj2fdBkFTZRk5iNCqiCt3e5h9fvc7VhR9dAnA3333+d3vrz+8+e47l3O7wgqzUZ5cS3Ubs2R57wX7vV6wHWEbdYJhEVuJ8DU7cbuUNM8BJva52CQwYeZSUaEZiSlAWq6kBBgX8b0ggfhALKDZGrPhcOIHeweg93lsoPb6xC5R19Us0aUws1wbFbvyHeq1kznE2m9ptHe0rvlI5yQ9tthlOxhsoNL4YpNt3Yuvd7Eg5mzU0VRvNZkj9titBrsRBbbZL+8JC+Wj+wne33Fhkff6/4fhqluV2U3+OwmL5S0fvUdkJ5InYY46jrsLPyknSNrqnGzLLn1imoz2OssO+mQ+BbfbgHP3R6brltVsingYFH3NMeOW1nUzl2svM64u27Vt0InLmoOGLgItDMazCuuc68yqiEfs55jEa0i39tVHF7IoKtH3RA2wE8c1bnoodu/pnfk7DevUDW76OM36objdYJH/uwxHzba4GWzYMZLhwdgNF+4gpytdMsJktCzRqSx4wH6NlRgGHR476loUZSZTCeOb9++u0W/Oj7pNSg0j8mXSVIKb/3yLvlRUjfRurbjIFO136kyb3NByiG7Qh7roLJjW1WjpJOJD2gYqY48RsEDLoxxH+6CaQHDswXDz+AMaMMeqSHBaFmwC9wIuIxYgN0CrPNpU2g7MuN2uOqBzbPpa4UPhzqggywKrWGUlDdxNiQfjix8cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9MCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1UtLlUSPwuqlLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epnGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP68Fw14Kq+G9WmbmhvNHBRp1MvQXrRrwmYbIEhZt+Jk5sYeDBxpYGZeYcSdHRxVrbDzOyjFXnPwBN70oWPRBQUlUsFBZm0HM3BuR1EsDxn17XiezTp94U0AiAlVxkWJcRBwa0QSscG6qimKfQ7xQlQAfXdTQR8PhEtpDjtnBtQZYqT4BxfEemTuAb1s43nCAfQNPYiQBu4HEC40TTL/EZINSgNRrUBKaUZosEgleXsb1sWpEU90CRPLoirRUJdcWNANjEG7HVhlnp6F01V0TELpQITot9KFDXpDP29s3CxGcrBzR+RK+Z6Rkb7qaM3q21ymdJ8tArxRO8hZWmKstZ7Kr3JGMr6shQCjIYog0uYnuDVxkT2uB5As1gxZRJoYavSpGgdZORqhIx3ayhtmiBjqKvKyPRh0qgwdJN9kjCYXmfMWc5ulA0ZwZdYJX7boYa2r+H0XGTsxJSaWxCKICBIfoI+hsQyVGoVKfJh2AiHeXeFCWXGzoYLLiXfnNZRWvqfSCPWRo6nxHMO1N0Qe9QgfuNFraxWLGo+sNAkiPJmYbhDPXq/uihgRLSVVlKZdCw8ShC6yU2iBlUKjofY4UHpOXeZwhFiPDe6mhQQEz4zu4jfaE5E6kn8rdQtau18dTIyAU1S6rOt9/XS1kNXjSEBF1R1YwjMhKVWGmK3lGDYSK4u6u4IcGTt3Khn1+7sten6NKP+HqGzDIwpQiaAX+gfvQxoC3Qe2p+Z0ZQHT7nIVMnId4cRnY3twgWd5vVFCuyPGeCBfGDmbsT9NfuiU+YhQHJEM85rgTM+l1UMMe1buIebuDe69e+Y0/p23E3e2qacPv5xSPGvj2ILGJN02GdV2FZ9JHeGbgVY+6CKaZRjwik7eC69zChWvCRiZfQPTfhOHDon6upQYp+qag2O5p2H5+tfP9e+U5lgLE8blUnsfseqSbvtOtO2YWTwwhiY52/Q4d2/Sq485iz//fPN7SLXV3WQgHWDvMGWA3xknjvycL2cZlhTZFL126wQYNb1ZyS/8Vp8BXNKPgGc6lc+/ogGRHCGmlKYdwZ3j2vSmGhMZlgvO+gw7RbWoDau2UaUimYgLYL6ZKqgjl1Yyqkt0u6wRxsxThdUMTpinKEtWYL4Q5uO68/zPrQkvmE8hvW38Hps5NMeraYVYJ9qWh/TCIOX74Wvsd1TDxuCkqt0bDcXUgihaCQW4HWzCzHBAVCgcqQRmNX9KjyonubFpacIE+aJ4rLBSOYI4vBiOkDWJwWO1hqZEzj6WhXLjc6jF4rnW0te1mtsR94zBnW2VImtwmcEdeYazBLZTvUyErF9giecD8A5C6NxRbeND+IhXCK1flrrqU1xDv37RKC5ehX/4tz9Fpsmn8NoBuw5bUwCOfnRBZlZagKi+Ekbny7sXTm2Tf9s4AZi50DYeaf1Yvvf/iLtX0vW8dRU+ybINqeT7O4EbNDHTd4QxX618Ynp597NAC58K2PXf+TnufFFucO1+88jyOTl/fJtm/7A1PsOufo/W8f39i9U0Wd8wT8pTnTRNESC7KxWqVXz3g/FwQBhZ6hj+9eoSthfnzxDF29v3zzX6/QpythXv6EnqyXGyQoM0uqEFlK7UelSaUoMfCtH17+7//v6bdBilCzTCjj+vQAmXpe4PA4Hp2Y++55zW8cL17VSIWveP64kG7Lpj2YH9kw7uAHPoRvTzHdWiefmTIV5ujt6/dBZP+UgqbzZR3HGf9HCnoepq1F96sRobCR/cITjuAxvsE7zmGBDV3jE4xIB+6+Rq/zXIGf1nF5CJ3m6SVFeWyc86GxkKuLd9fuVRoNjxVYTxj96DiVnKbq3250dW1RGfF+WRoeOQkiCg3t2uM0rDWxzE3XmlZAtNDFec7slzHfBmxbs/zD79yEDGBNQrjg0t/wyy4LDFDZ5lon0esOfdIweu8xvJbKNCJ5IHRzCLDBATCz2S959cS0d/thYlE/JvW23o0RXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxYKeN6YTkWLOFpWiOZptACYVOWQNheVMeWTrgUHR6Ii2HFx0nqDfAY+o+7dLuKI7ABQtpKGZz+yOn2cUn7S50BnOXCp+AtClUWmAzxOwxDxBtTBPcR1S9T8pExAV51ntiUunlvcteLuP8/5qbWfCCTTYN2ZJlaAGfdyU9Bn6VD9jb8EB9iO6rh1gg5fgtzFNrR7VM4EyMWIa10h7v/gzhDkPKhPl9ouQ4IYVJOatqLJvIBNGIm3gMWcCfboaFSgEEmSTyavoItsClWWCsW8WsKI6dkavBZugxMW9iLFT0cHfngBbN1oh41Qsok+KBJyt8pFQCx3RQJ3Kg3krACMQgXSCOcLoF6nWWOXDOd0IvV5AspdC2N74O8ilm1GzplSEVc/IXRPvG+OWBvN2qM4hg6BlPGRGDHbIhM9zhbSEghkrlvyIjfAWVxyLKeL4Bzgo6wSRlotysMGuy3IbSVlZC3YBBmz35YkdqaQEuhCs4vWDOyxij5VhpOJYIegXjWoknry5e/VWLuR8Hp7+TklmljT58XaQ/WgXdLexhfcbi7dF93VlllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxil57xM4HZDjE2Suajbk7OZow3uz/JOkKoyS48VkLcakQ2mOAEDHr3R9ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrk3gg841BENkcXu3FjYtWInYRI9jHsaJ0oiEAHw6jDZY5AMLB+g1/q0229stv7Nsp22zLLSph+OVtsjT6HMvCMHGPWH6QFwXu8oIIqRuotAUEg0a+fWsDMEp7a0Gw35JE9Jz+ca6PGg5/1no5pu3WyPb3YvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eADj0EdyFrH9O4+GWv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t292Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gRREtzxJCOHhv/a6IFDLyUlk3qddkR1Pkju/bUWkR18mcgT8l/nP3//PXry9vL19VN0ybRhYlExvaQ5lMIHceFyIZP3BdoVCYNs2bnDwx8zfHEkY0zJxF7FXfWf9lRDGDQ3Bjzy0YY+3+e6EEj7b+p+W44/wCkUM8Ui1CZ9mymGeazudL2NfMA5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWT9lppJ0p/8kyQu1F7PXF3F7ydHUWr8Wuuw5hDV9p2PL/eicRfDLgBe+4oa2yjDzsypQqZWLAIGQDpJZqgQX7c0dWtUjHCocS+whKt3lqhNxzpoK1pIm6/vxil4PXwrX4cr2LOlnNv1LMzZJgRVGpaC4LJnCw4K4lnq6xYVQYvTc9nuMpd/sWn3SzrvUjLRMxrr0631rBVWJloBnSdqu7xeqEzY68sDlEos5pThU2NM+iJZXt4A8rfH6pV2yCZ9dKrljeNA/z38Nlyb2mOmAM3/zHPmtdnTas4Gw3yfKJdtks6Xv9mc3INoPDQyFzcsVc9HzZV9xHWsA1SmfMoeD31TzpHehMrR+1KqEXgY06HRU0VqyRNlI5iW+hFdRgWO1b+Na5/da34d0XLM85nU7KvYP1DpVzgeNtyb2j5Fw9HmOa7V771VodhsSmjs4+QyXH9sjs+ywVooKoTTnm5YdUyAnsyQMy6FRjW/4qtUHvMFkyMWLS5TiR5PimT+tPAjL9S0Wt+LD6kWtyps/R2xyX6DP8w+lHuRSu7vSfw8cTLfGKWs2JU6zQl4qqDYIehLqUQtNaowoXp9r9ZvCbaeSl74FHLGTF6i6Qwm3f9eUbx7Pe0gSobhnog2+OeiimMOUprcOsz+N1a+lOEyNrG/qHl2mkKiGCdqx+1rw8LvLs2kiN1Nh5iJm3MNMfBEZrJnK51kiXlLA5I/aTZ6E6QZ8nO7wgdnsO323ODXoCHWGpINtnCEKXT1vUQpWAd/wtXWCyQZ90t/FtE4Et+oW00bNr7QoTGOwjr33b1AJUoFYNmMy+iAOKN30AAtX/nUpTKOcZkq+77fQK9Vh3XqdeB3YMOwwymv/NEZudJq93bKs+w9e73mtZ9wa2Pt4FdLibaRx2TcCgezbbhEx3DIMTCjek2F/8DGUDMUcCjla4wZZzOmfC++pBOEFXvwKXI00HAbujCsUS4bZ1wPTUv9iCsfHZpt6776U00puy8WEbg8mymLgF/nZVIDgaWEft40gy5GXGRLwJYlHvht0yFBWmfTwDQqpdtgPH4tpob8v7A1M7B1inffv2YF1iVfOU/fOz7VbWSzZopY7s7bC2rEt+P2h7JvrMEtfWQqpNugP/qy6x+NvejjE1It0u6rV6HnqaLFn++hyg79nbyVSiwa7qfuu7dzXKBRkVRsnyGNGRy2o2cC4cxON+TWtt0z3lCICjq+6Y9h5eyKLEYtPcR7h2ME7f2SsrquwzlDExl2GlAOvb1DVCe+RHz4qsMVvTtF3R519S5Qj8UnG+Qf9ZYc7mjOboEuqenXMwiMqazjIi5S07UdD9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75c/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKhvdahtbR+ZKVx1jXLZxc55Fkupam8/hJg/vB058lavnMjsVNOiTDuHaAcp7Mp7Pfc1mkrKRJpIFym7jj0PVGITdk0SkWEdM9rfAqx8OX1kyJXiEY+5BTXiqTTGaFapWN6QFkxNVYYX8WzKLejoz1MXdNT0xy5oz/UJBAu9M1SAahXfOLHwo3Fzo+gtFe2lysTWqNwSU9QSdmTuR1gW1Kvn/r8vPArP/X/4vKaQ2x9zqsLZeX47J4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Ny5ub9nuI2QQq/af/kGHCVrjAz9ZuaRqGn+E1dl9xtOTCxj9+BRdwPph1KgyEzVLGaHzBVV++CftZGHuaM5Lk4aOW4RsHbhd9Fvd6hS986TZn8d6Je/fGiV82uiG/Rn21rDbRDLl6h9vkKALaZg7wHKJ9cgEKE2mbivUOkq3+PhwQXvUySZADRJcejxWN06v62/CCSmaLaaoqOj2N2qmHn4cHbRspQnTuoqudAJkSJZK5617WAwFMKRKJfWBDg6lLT3f2MXRDQSnd0mnSTIkms7gPor85AZSO3c/Ri3peRyS95eeO3AcF6Fa82yV8kXvh1S9IzuITJ5Z1sNV9DaNOhVgdku9RZ2oucE323El7QcJZOtPSEO8Tip0dfP6H++u0bV9p9BvYmT6yhbbRJXUx2D7cS3D2IIYIktKbvVRTuTDhHDaHmShoXNNv86mRRikgfoRhFspuEPLpYoNmkKeQMl1eDRdQUaNBsDZYFNNNuGzjeUKc5Y7Rgwg0ReEk3W13iUIgWK3dKP7YjsS59cJpJFhL40pdcZgBm0S0HCUKQhC8CO4TWwh6soXqZjZ7LlRRBZF0j5xB+Lt8PAOoXAJ/popyvuWZmwXy5pjkWl9qoG3dmUnw3/3u61rtILYulLjrJRsirTqEMIOAwQYAFJhawDISpZYiEHjjNTtpvyqgMhIzHaits3Nw+JnHv7+9vV7/+497y3fPChGqr7vP3rPNqZvs5XkVSoCvK7nOAs/56aZjF2P860EMxo9cUjop9CtAwp764m6PfAIkA7uhleJpNlbj+snwYxPFzjvFh2sqIJMgXnFEZGC0NJYQ/nGneFIe4X1OqX0dYS3Bns9QtsiWkplkLT0/fXfX4dScINkj813Ui2mT7DsFxh0XKwz7JqdBBvF/P3Nb9dX1+gdviuYyJux3uFjtXubPA2zM0RxZFt+G4Pd7dpWoz6FSxajp2e7KsdsPl3B5qmL8OstJ1c7Os4yL5WvLn2XXo/FTgz5dIdy4l4B9Y6L//Z1w01hjsiHmmTs2w3+EmtCnyi70Y+rBiu+CeoWrrj3GdJVIEUda/RXbZQUi7/NOCa3nGlD878+93971nzKxJyS8Edzpuga86Aig2e89RuERY60RCNsqeiCaaM21rKfUliU2Cx9s/4GB9THYYAkOKWmQtMVQrt6LSJVqwt5o082mFNhWjkpjbqt7v6lj0qfva1ZhjV9hWbUtA3+nM5xxU0GzP8KzTHv1ByP77qzq24S/zuZV5zCvS+x0taw/6MSrKRKqzukN5rLRful3nXxFMV6YOkfTO2/DRi3By+4ptNGznAgRFyvvXuy5HBZr+D0Qe5aPjDDz68dbDtxGAIdoGG7aqtmRqVAW309iAxtROLSoo3KfoIQKYQbH3tmcN+efwAnbuGiNtwwS7hK7rPAo/4ADOr68A7U4PoCm7MEt0Jgc6+b0UIjLke0ENnPEBaLVLdEuFy5+92UPkLxaXO/G2PxSXVrBMzWucfNUeTM4qMqTs8CyRYPuT6KADoWNOqA3o9J5IvcxmT/bc61SUWTXJv70KSDSVyadDDZT5N6rOfZwJh9AA7bae/5ntUlZ2QTmQIO6AF79yL1TymiM6aTqRby/fBIgsLh+kYCUrRF6IH06GOUDpl92gfEcs5YfvZjP3viQeqHa+PHctQCuweDFMvvuZuu2OdsrmRxRvjA1/Sgx9UDdznxPeBBbGRlZrIS+Vm4BmlKVGAIaRqyuPmm9ycK/O5kaHQ4JdgEMdbx9IAHsWFiCkY5BJMWo8SmSuuE7kOTdHxyCBaU41LT/MywkQcmH/oZ92DgQaIOyODi4z1IHyBLQ0DDpgHVhuZnSZBwsA/HZSQT6AEYDCAG11WSjzDfcR6tDrgdgumMCSILJhZn0IxxjgdlSQ9RNmEJVC+BhkuEr0Kwr+aDMBmC3HcPzkaq/eJciOFYwL346GqWGCddzY7AS/XTFx4kNdv4dCCHb6viNcKR8WhBPgCPDt8sscLEUMW0YSTine6wz8giI4oyqRQ9W9PZWank3eas1pwjuz5gGbSmMwTLNMr0fpO/pFSdpdDnLeDDlXrAIr5H0yFxD5dmG5G4frs2Kvt9doBHKq8moHJvt+YApQT0uZ9js05fj8e0A4jhW63I2UrNzxaqT/iHOQ0HQIOr59rEXz0ENKyyk6Icl15HnbwFeYikCjb6epg7ENJOoc01tPXEfnw6KqjudNwdeXpmKoXT1sI93GNLyrNQfPxBisDh6/vcyzPX2zGyj65O7HTA7+mhazTehI7DZo3DPNpzFt2t7qEesL6SlXHGhjZYxLQ1PGQ0gBzGI35s4cCYQlVyJm7PzF1sf4MDjMwd6gLehYVKhYU6CAs5+yMe/SvFu52fxiyGuEv2OnztunXxFp4zbgLj5IKLx7cZ/eqHmYp1r9Ooy9P998zQopQKq81ZfAx2wA7iEnf1/etBrfpZX3148MJhsDswIDKPvnwHZlgjGjbefZgmRPa7DeugbtQ3tQtx57rxH3QXoz7gnkXVOvfrem6y/llo/MYDni0HFXWhhrkr0F7qQamHsHAXanBhf+8iq/ke6gGEd92izjRdUdWfHvywM3fdwAaAw+Rvedri8nzbvbaf7aHn/G1sFADoAaszkdO7eOt2we3ivqiMhxd7n5FSkmXUkJgFeEBAzAdHuFyMuSMfECW1JuVeZyS9K6Uyp1o9z6U+S3fXLPh7XrhW7uCSmTM1PPoHUKaVPLhkBnWAh4UhK+iZJjLq28cKirowxyhh6J1JQwaYB3MYDWo8wPGTEBvXDeQe5xJZN4BzOUAzgLVLqtig5+tDF+8B3X8a8ZiycwiHYRBXVNQIHOBbqjilM6xTOHYA7kEPcxp/3318fCuqckbqpPh4OHi4/dlSO3FwLQHiXYcahx7cIA5LY8qzQDf/h0RmjClRB2RwZXCxJvG70AO9LhoXJadneolf/PwyHgYOLOqBDSuMmK+xomeDAR0P0xodVNSBGpZGkJt3NohKHhesdNDaPws/AVRgMaq0HelrsiD3Kmz2ndAGD1p2H6soD+GFl+2XmD7IDtzD06GOWQ9h5i680TVjpkiYvRoMyI4l1sszLuVtFS+6CtLDAkY9wONoRH3DDowQOW/bWU7NcLTi8Ys7qKgHNXzkKfKsDk+tmlOaRyY8pfkBhJeEVCqy7gwwD9KdY5aD+UittXMb9xZePHNT24J9ZFrR9m0N8r/8/wEAAP//lygjCA==" } diff --git a/filebeat/module/junipersrx/firewall/_meta/fields.yml b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml similarity index 99% rename from filebeat/module/junipersrx/firewall/_meta/fields.yml rename to x-pack/filebeat/module/juniper/srx/_meta/fields.yml index 64dd3498e427..c847cfcf2cf9 100644 --- a/filebeat/module/junipersrx/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml @@ -1,7 +1,8 @@ -- name: firewall +- name: srx type: group release: beta default_field: false + overwrite: true description: > Module for parsing junipersrx syslog. fields: @@ -214,7 +215,7 @@ type: integer description: > application risk - + - name: urlcategory-risk type: integer description: > @@ -279,7 +280,7 @@ type: keyword description: > process that generated the message - + - name: apbr-rule-type type: keyword description: > @@ -314,12 +315,12 @@ type: keyword description: > rule name - + - name: uplink-tx-bytes type: integer description: > uplink tx bytes - + - name: uplink-rx-bytes type: integer description: > @@ -554,7 +555,7 @@ type: keyword description: > status - + - name: state type: keyword description: > diff --git a/filebeat/module/junipersrx/firewall/config/firewall.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml similarity index 99% rename from filebeat/module/junipersrx/firewall/config/firewall.yml rename to x-pack/filebeat/module/juniper/srx/config/srx.yml index 3490fde4aaff..725ad622fa0c 100644 --- a/filebeat/module/junipersrx/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -24,7 +24,6 @@ tags: {{.tags}} processors: - add_locale: ~ - - add_fields: target: '' fields: diff --git a/filebeat/module/junipersrx/firewall/ingest/atp.yml b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml similarity index 71% rename from filebeat/module/junipersrx/firewall/ingest/atp.yml rename to x-pack/filebeat/module/juniper/srx/ingest/atp.yml index b0635cdc3527..20c035778eb8 100644 --- a/filebeat/module/junipersrx/firewall/ingest/atp.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml @@ -9,61 +9,61 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - set: field: event.kind value: alert - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.junipersrx?.firewall?.tag) && ctx.junipersrx?.firewall?.action != "PERMIT"' + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' - append: field: event.category value: malware - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.junipersrx?.firewall?.tag) && ctx.junipersrx?.firewall?.action != "PERMIT"' + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' - append: field: event.type value: - info - diened - connection - if: "ctx.junipersrx?.firewall?.action == 'BLOCK' || ctx.junipersrx?.firewall?.tag == 'AAMW_MALWARE_EVENT_LOG'" + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" - append: field: event.type value: - allowed - connection - if: "ctx.junipersrx?.firewall?.action != 'BLOCK' && ctx.junipersrx?.firewall?.tag != 'AAMW_MALWARE_EVENT_LOG'" + if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" - set: field: event.action value: malware_detected - if: "ctx.junipersrx?.firewall?.action == 'BLOCK' || ctx.junipersrx?.firewall?.tag == 'AAMW_MALWARE_EVENT_LOG'" + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -76,12 +76,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -94,12 +94,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-server + field: juniper.srx.bytes-from-server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" + if: "ctx.juniper?.srx['bytes-from-server'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -112,12 +112,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-server + field: juniper.srx.packets-from-server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" + if: "ctx.juniper?.srx['packets-from-server'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -134,31 +134,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -171,12 +171,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -187,14 +187,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-client + field: juniper.srx.bytes-from-client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" + if: "ctx.juniper?.srx['bytes-from-client'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -207,12 +207,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-client + field: juniper.srx.packets-from-client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -225,38 +225,38 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" - rename: - field: junipersrx.firewall.hostname + field: juniper.srx.hostname target_field: source.address ignore_missing: true - if: "ctx.junipersrx?.firewall?.hostname != null" + if: "ctx.juniper?.srx?.hostname != null" - rename: - field: junipersrx.firewall.client-ip + field: juniper.srx.client-ip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['client-ip'] != null" + if: "ctx.juniper?.srx['client-ip'] != null" ###################### ## ECS URL Mapping ## ###################### - rename: - field: junipersrx.firewall.http-host + field: juniper.srx.http-host target_field: url.domain ignore_missing: true - if: "ctx.junipersrx?.firewall['http-host'] != null" + if: "ctx.juniper?.srx['http-host'] != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: junipersrx.firewall.protocol-id + field: juniper.srx.protocol-id target_field: network.iana_number ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-id'] != null" + if: "ctx.juniper?.srx['protocol-id'] != null" - geoip: field: source.ip target_field: source.geo @@ -333,14 +333,14 @@ processors: ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.bytes-from-client - - junipersrx.firewall.packets-from-client - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.bytes-from-server - - junipersrx.firewall.packets-from-server + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.bytes-from-client + - juniper.srx.packets-from-client + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.bytes-from-server + - juniper.srx.packets-from-server ignore_missing: true on_failure: diff --git a/filebeat/module/junipersrx/firewall/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml similarity index 70% rename from filebeat/module/junipersrx/firewall/ingest/flow.yml rename to x-pack/filebeat/module/juniper/srx/ingest/flow.yml index ccdd4d8b3f67..e38f3e096f19 100644 --- a/filebeat/module/junipersrx/firewall/ingest/flow.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -9,72 +9,72 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - rename: - field: junipersrx.firewall.application-risk + field: juniper.srx.application-risk target_field: event.risk_score ignore_missing: true - if: "ctx.junipersrx?.firewall['application-risk'] != null" + if: "ctx.juniper?.srx['application-risk'] != null" - append: field: event.type - value: + value: - start - allowed - connection - if: "ctx.junipersrx?.firewall?.tag.endsWith('CREATE') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE') || ctx.junipersrx?.firewall?.tag.endsWith('CREATE_LS') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" - append: field: event.type - value: + value: - end - allowed - connection - if: "ctx.junipersrx?.firewall?.tag.endsWith('CLOSE') || ctx.junipersrx?.firewall?.tag.endsWith('CLOSE_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" - append: field: event.type value: - denied - connection - if: "ctx.junipersrx?.firewall?.tag.endsWith('DENY') || ctx.junipersrx?.firewall?.tag.endsWith('DENY_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" - set: field: event.action value: flow_started - if: "ctx.junipersrx?.firewall?.tag.endsWith('CREATE') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE') || ctx.junipersrx?.firewall?.tag.endsWith('CREATE_LS') || ctx.junipersrx?.firewall?.tag.endsWith('UPDATE_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" - set: field: event.action value: flow_close - if: "ctx.junipersrx?.firewall?.tag.endsWith('CLOSE') || ctx.junipersrx?.firewall?.tag.endsWith('CLOSE_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" - set: field: event.action value: flow_deny - if: "ctx.junipersrx?.firewall?.tag.endsWith('DENY') || ctx.junipersrx?.firewall?.tag.endsWith('DENY_LS')" + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -87,12 +87,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -105,12 +105,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-server + field: juniper.srx.bytes-from-server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" + if: "ctx.juniper?.srx['bytes-from-server'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -123,12 +123,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-server + field: juniper.srx.packets-from-server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" + if: "ctx.juniper?.srx['packets-from-server'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -145,31 +145,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -182,12 +182,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -198,14 +198,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-client + field: juniper.srx.bytes-from-client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" + if: "ctx.juniper?.srx['bytes-from-client'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -218,12 +218,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-client + field: juniper.srx.packets-from-client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -236,28 +236,28 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: junipersrx.firewall.policy-name + field: juniper.srx.policy-name target_field: rule.name ignore_missing: true - if: "ctx.junipersrx?.firewall['policy-name'] != null" + if: "ctx.juniper?.srx['policy-name'] != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: junipersrx.firewall.protocol-id + field: juniper.srx.protocol-id target_field: network.iana_number ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-id'] != null" + if: "ctx.juniper?.srx['protocol-id'] != null" - geoip: field: source.ip target_field: source.geo @@ -364,17 +364,17 @@ processors: ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.bytes-from-client - - junipersrx.firewall.packets-from-client - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.bytes-from-server - - junipersrx.firewall.packets-from-server + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.bytes-from-client + - juniper.srx.packets-from-client + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.bytes-from-server + - juniper.srx.packets-from-server ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/idp.yml b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml similarity index 70% rename from filebeat/module/junipersrx/firewall/ingest/idp.yml rename to x-pack/filebeat/module/juniper/srx/ingest/idp.yml index e57575243a2e..4b4dc3f8fe04 100644 --- a/filebeat/module/junipersrx/firewall/ingest/idp.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml @@ -9,65 +9,65 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - set: field: event.kind value: alert - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.category value: intrusion_detection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - info - diened - connection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - allowed - connection - if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: application_ddos - if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: security_threat - if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -80,12 +80,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -98,12 +98,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.inbound-bytes + field: juniper.srx.inbound-bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['inbound-bytes'] != null" + if: "ctx.juniper?.srx['inbound-bytes'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -116,12 +116,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.inbound-packets + field: juniper.srx.inbound-packets target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['inbound-packets'] !=null" + if: "ctx.juniper?.srx['inbound-packets'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -138,31 +138,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -175,12 +175,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -191,14 +191,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.outbound-bytes + field: juniper.srx.outbound-bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['outbound-bytes'] != null" + if: "ctx.juniper?.srx['outbound-bytes'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -211,12 +211,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.outbound-packets + field: juniper.srx.outbound-packets target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -229,56 +229,56 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: junipersrx.firewall.rulebase-name + field: juniper.srx.rulebase-name target_field: rule.name ignore_missing: true - if: "ctx.junipersrx?.firewall['rulebase-name'] != null" + if: "ctx.juniper?.srx['rulebase-name'] != null" - rename: - field: junipersrx.firewall.rule-name + field: juniper.srx.rule-name target_field: rule.id ignore_missing: true - if: "ctx.junipersrx?.firewall['rule-name'] != null" + if: "ctx.juniper?.srx['rule-name'] != null" ######################### ## ECS Network Mapping ## ######################### - rename: - field: junipersrx.firewall.protocol-name + field: juniper.srx.protocol-name target_field: network.protocol ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-name'] != null" + if: "ctx.juniper?.srx['protocol-name'] != null" ######################### ## ECS message Mapping ## ######################### - rename: - field: junipersrx.firewall.message + field: juniper.srx.message target_field: message ignore_missing: true - if: "ctx.junipersrx?.firewall?.message != null" + if: "ctx.juniper?.srx?.message != null" ############# ## Cleanup ## ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.outbound-bytes - - junipersrx.firewall.outbound-packets - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.inbound-bytes - - junipersrx.firewall.inbound-packets + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.outbound-bytes + - juniper.srx.outbound-packets + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.inbound-bytes + - juniper.srx.inbound-packets ignore_missing: true on_failure: diff --git a/filebeat/module/junipersrx/firewall/ingest/ids.yml b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml similarity index 74% rename from filebeat/module/junipersrx/firewall/ingest/ids.yml rename to x-pack/filebeat/module/juniper/srx/ingest/ids.yml index 166b42891989..3b02a1ca3070 100644 --- a/filebeat/module/junipersrx/firewall/ingest/ids.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml @@ -9,93 +9,93 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - set: field: event.kind value: alert - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.category value: intrusion_detection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - info - diened - connection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - allowed - connection - if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: flood_detected - if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: scan_detected - if: "ctx.junipersrx?.firewall['attack-name'] == 'TCP port scan!'" + if: "ctx.juniper?.srx['attack-name'] == 'TCP port scan!'" - set: field: event.action value: sweep_detected - if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: fragment_detected - if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: spoofing_detected - if: "ctx.junipersrx?.firewall['attack-name'] == 'IP spoofing!'" + if: "ctx.juniper?.srx['attack-name'] == 'IP spoofing!'" - set: field: event.action value: session_limit_detected - if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: attack_detected - if: '["Land attack!", "WinNuke attack!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: illegal_tcp_flag_detected - if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.junipersrx?.firewall["attack-name"])' + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx["attack-name"])' - set: field: event.action value: tunneling_screen - if: ctx.junipersrx?.firewall['attack-name'].startsWith('Tunnel') + if: ctx.juniper?.srx['attack-name'].startsWith('Tunnel') #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -108,12 +108,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -126,12 +126,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-server + field: juniper.srx.bytes-from-server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" + if: "ctx.juniper?.srx['bytes-from-server'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -144,12 +144,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-server + field: juniper.srx.packets-from-server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" + if: "ctx.juniper?.srx['packets-from-server'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -166,31 +166,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -203,12 +203,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -219,14 +219,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-client + field: juniper.srx.bytes-from-client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" + if: "ctx.juniper?.srx['bytes-from-client'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -239,12 +239,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-client + field: juniper.srx.packets-from-client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -257,19 +257,19 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: junipersrx.firewall.protocol-id + field: juniper.srx.protocol-id target_field: network.iana_number ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-id'] != null" + if: "ctx.juniper?.srx['protocol-id'] != null" - geoip: field: source.ip target_field: source.geo @@ -347,17 +347,17 @@ processors: ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.bytes-from-client - - junipersrx.firewall.packets-from-client - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.bytes-from-server - - junipersrx.firewall.packets-from-server + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.bytes-from-client + - juniper.srx.packets-from-client + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.bytes-from-server + - juniper.srx.packets-from-server ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml similarity index 77% rename from filebeat/module/junipersrx/firewall/ingest/pipeline.yml rename to x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index 11cc51c846ec..f0ec5dad4046 100644 --- a/filebeat/module/junipersrx/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -12,7 +12,7 @@ processors: field: log.original field_split: " (?=[a-z0-9\\_\\-]+=)" value_split: "=" - prefix: "junipersrx.firewall." + prefix: "juniper.srx." ignore_missing: true ignore_failure: false trim_value: "\"" @@ -40,19 +40,23 @@ processors: - yyyy-MM-dd HH:mm:ss Z - ISO8601 +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. -# -> junipersrx.firewall.elapsed-time +# -> juniper.srx.elapsed-time - rename: - field: junipersrx.firewall.elapsed-time - target_field: junipersrx.firewall.duration - if: "ctx.junipersrx?.firewall['elapsed-time'] != null" + field: juniper.srx.elapsed-time + target_field: juniper.srx.duration + if: "ctx.juniper?.srx['elapsed-time'] != null" # Sets starts, end and duration when start and duration is known - script: lang: painless - if: ctx?.junipersrx?.firewall?.duration != null + if: ctx?.juniper?.srx?.duration != null source: >- - ctx.event.duration = Integer.parseInt(ctx.junipersrx.firewall.duration) * 1000000000L; + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; ctx.event.start = ctx['@timestamp']; ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); @@ -67,17 +71,17 @@ processors: - "N/A" - "-" source: >- - ctx?.junipersrx?.firewall.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); ####################### ## ECS Event Mapping ## ####################### - set: field: event.module - value: junipersrx + value: juniper - set: field: event.dataset - value: junipersrx.firewall + value: juniper.srx - set: field: event.severity value: '{{syslog_pri}}' @@ -140,44 +144,44 @@ processors: target_field: observer.name ignore_missing: true - rename: - field: junipersrx.firewall.packet-incoming-interface + field: juniper.srx.packet-incoming-interface target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: junipersrx.firewall.destination-interface-name + field: juniper.srx.destination-interface-name target_field: observer.egress.interface.name ignore_missing: true - rename: - field: junipersrx.firewall.source-interface-name + field: juniper.srx.source-interface-name target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: junipersrx.firewall.interface-name + field: juniper.srx.interface-name target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: junipersrx.firewall.source-zone-name + field: juniper.srx.source-zone-name target_field: observer.ingress.zone ignore_missing: true - rename: - field: junipersrx.firewall.source-zone + field: juniper.srx.source-zone target_field: observer.ingress.zone ignore_missing: true - rename: - field: junipersrx.firewall.destination-zone-name + field: juniper.srx.destination-zone-name target_field: observer.egress.zone ignore_missing: true - rename: - field: junipersrx.firewall.destination-zone + field: juniper.srx.destination-zone target_field: observer.egress.zone ignore_missing: true - rename: field: syslog_program - target_field: junipersrx.firewall.process + target_field: juniper.srx.process ignore_missing: true - rename: field: log_type - target_field: junipersrx.firewall.tag + target_field: juniper.srx.tag ignore_missing: true @@ -189,36 +193,36 @@ processors: - message - _temp_ - _temp - - junipersrx.firewall.duration - - junipersrx.firewall.dir_disp - - junipersrx.firewall.srczone - - junipersrx.firewall.dstzone - - junipersrx.firewall.duration + - juniper.srx.duration + - juniper.srx.dir_disp + - juniper.srx.srczone + - juniper.srx.dstzone + - juniper.srx.duration - syslog_pri - syslog_hostname ignore_missing: true -############################### -## Product Speific Pipelines ## -############################### +################################ +## Product Specific Pipelines ## +################################ - pipeline: name: '{< IngestPipeline "flow" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_FLOW'" + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" - pipeline: name: '{< IngestPipeline "utm" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_UTM'" + if: "ctx.juniper?.srx?.process == 'RT_UTM'" - pipeline: name: '{< IngestPipeline "idp" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_IDP'" + if: "ctx.juniper?.srx?.process == 'RT_IDP'" - pipeline: name: '{< IngestPipeline "ids" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_IDS'" + if: "ctx.juniper?.srx?.process == 'RT_IDS'" - pipeline: name: '{< IngestPipeline "atp" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_AAMW'" + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" - pipeline: name: '{< IngestPipeline "secintel" >}' - if: "ctx.junipersrx?.firewall?.process == 'RT_SECINTEL'" + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" on_failure: - set: diff --git a/filebeat/module/junipersrx/firewall/ingest/secintel.yml b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml similarity index 70% rename from filebeat/module/junipersrx/firewall/ingest/secintel.yml rename to x-pack/filebeat/module/juniper/srx/ingest/secintel.yml index 22b97ceb6ae0..07f000b98f0a 100644 --- a/filebeat/module/junipersrx/firewall/ingest/secintel.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml @@ -9,61 +9,61 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - set: field: event.kind value: alert - if: 'ctx.junipersrx?.firewall?.tag == "SECINTEL_ACTION_LOG" && ctx.junipersrx?.firewall?.action != "PERMIT"' + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' - append: field: event.category value: malware - if: 'ctx.junipersrx?.firewall?.tag == "SECINTEL_ACTION_LOG" && ctx.junipersrx?.firewall?.action != "PERMIT"' + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' - append: field: event.type value: - info - diened - connection - if: "ctx.junipersrx?.firewall?.action == 'BLOCK'" + if: "ctx.juniper?.srx?.action == 'BLOCK'" - append: field: event.type value: - allowed - connection - if: "ctx.junipersrx?.firewall?.action != 'BLOCK'" + if: "ctx.juniper?.srx?.action != 'BLOCK'" - set: field: event.action value: malware_detected - if: "ctx.junipersrx?.firewall?.action == 'BLOCK'" + if: "ctx.juniper?.srx?.action == 'BLOCK'" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -76,12 +76,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -94,12 +94,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-server + field: juniper.srx.bytes-from-server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" + if: "ctx.juniper?.srx['bytes-from-server'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -112,12 +112,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-server + field: juniper.srx.packets-from-server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" + if: "ctx.juniper?.srx['packets-from-server'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -134,31 +134,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -171,12 +171,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -187,14 +187,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-client + field: juniper.srx.bytes-from-client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" + if: "ctx.juniper?.srx['bytes-from-client'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -207,12 +207,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-client + field: juniper.srx.packets-from-client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -225,38 +225,38 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" - rename: - field: junipersrx.firewall.hostname + field: juniper.srx.hostname target_field: source.address ignore_missing: true - if: "ctx.junipersrx?.firewall?.hostname != null" + if: "ctx.juniper?.srx?.hostname != null" - rename: - field: junipersrx.firewall.client-ip + field: juniper.srx.client-ip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['client-ip'] != null" + if: "ctx.juniper?.srx['client-ip'] != null" ###################### ## ECS URL Mapping ## ###################### - rename: - field: junipersrx.firewall.http-host + field: juniper.srx.http-host target_field: url.domain ignore_missing: true - if: "ctx.junipersrx?.firewall['http-host'] != null" + if: "ctx.juniper?.srx['http-host'] != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: junipersrx.firewall.protocol-id + field: juniper.srx.protocol-id target_field: network.iana_number ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-id'] != null" + if: "ctx.juniper?.srx['protocol-id'] != null" - geoip: field: source.ip target_field: source.geo @@ -333,17 +333,17 @@ processors: ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.bytes-from-client - - junipersrx.firewall.packets-from-client - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.bytes-from-server - - junipersrx.firewall.packets-from-server + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.bytes-from-client + - juniper.srx.packets-from-client + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.bytes-from-server + - juniper.srx.packets-from-server ignore_missing: true on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/junipersrx/firewall/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml similarity index 74% rename from filebeat/module/junipersrx/firewall/ingest/utm.yml rename to x-pack/filebeat/module/juniper/srx/ingest/utm.yml index 119d166ac9ac..5f81907fe678 100644 --- a/filebeat/module/junipersrx/firewall/ingest/utm.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -9,78 +9,78 @@ processors: - set: field: event.outcome value: success - if: "ctx.junipersrx?.firewall?.tag != null" + if: "ctx.juniper?.srx?.tag != null" - append: field: event.category value: network - rename: - field: junipersrx.firewall.urlcategory-risk + field: juniper.srx.urlcategory-risk target_field: event.risk_score ignore_missing: true - if: "ctx.junipersrx?.firewall['urlcategory-risk'] != null" + if: "ctx.juniper?.srx['urlcategory-risk'] != null" - set: field: event.kind value: alert - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.category value: malware - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - info - diened - connection - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - append: field: event.type value: - allowed - connection - if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: web_filter - if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: content_filter - if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: antispam_filter - if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - set: field: event.action value: virus_detected - if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.junipersrx?.firewall?.tag)' - + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' + #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: junipersrx.firewall.destination-address + field: juniper.srx.destination-address target_field: destination.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-address'] != null" + if: "ctx.juniper?.srx['destination-address'] != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: junipersrx.firewall.nat-destination-address + field: juniper.srx.nat-destination-address target_field: destination.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-address'] != null" + if: "ctx.juniper?.srx['nat-destination-address'] != null" - convert: - field: junipersrx.firewall.destination-port + field: juniper.srx.destination-port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['destination-port'] != null" + if: "ctx.juniper?.srx['destination-port'] != null" - set: field: server.port value: '{{destination.port}}' @@ -93,12 +93,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: junipersrx.firewall.nat-destination-port + field: juniper.srx.nat-destination-port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat-destination-port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -111,12 +111,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-server + field: juniper.srx.bytes-from-server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-server'] != null" + if: "ctx.juniper?.srx['bytes-from-server'] != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -129,12 +129,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-server + field: juniper.srx.packets-from-server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-server'] !=null" + if: "ctx.juniper?.srx['packets-from-server'] !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -151,31 +151,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: junipersrx.firewall.source-address + field: juniper.srx.source-address target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['source-address'] != null" + if: "ctx.juniper?.srx['source-address'] != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: junipersrx.firewall.nat-source-address + field: juniper.srx.nat-source-address target_field: source.nat.ip ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-address'] != null" + if: "ctx.juniper?.srx['nat-source-address'] != null" - rename: - field: junipersrx.firewall.sourceip + field: juniper.srx.sourceip target_field: source.ip ignore_missing: true - if: "ctx.junipersrx?.firewall?.sourceip != null" + if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: junipersrx.firewall.source-port + field: juniper.srx.source-port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['source-port'] != null" + if: "ctx.juniper?.srx['source-port'] != null" - set: field: client.port value: '{{source.port}}' @@ -188,12 +188,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: junipersrx.firewall.nat-source-port + field: juniper.srx.nat-source-port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['nat-source-port'] != null" + if: "ctx.juniper?.srx['nat-source-port'] != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -204,14 +204,14 @@ processors: type: long ignore_failure: true ignore_missing: true - if: "ctx.client?.nat?.port != null" + if: "ctx.client?.nat?.port != null" - convert: - field: junipersrx.firewall.bytes-from-client + field: juniper.srx.bytes-from-client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['bytes-from-client'] != null" + if: "ctx.juniper?.srx['bytes-from-client'] != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -224,12 +224,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: junipersrx.firewall.packets-from-client + field: juniper.srx.packets-from-client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.junipersrx?.firewall['packets-from-client'] != null" + if: "ctx.juniper?.srx['packets-from-client'] != null" - set: field: client.packets value: '{{source.packets}}' @@ -242,60 +242,60 @@ processors: ignore_missing: true if: "ctx.client?.packets != null" - rename: - field: junipersrx.firewall.username + field: juniper.srx.username target_field: source.user.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.username != null" + if: "ctx.juniper?.srx?.username != null" ###################### ## ECS Rule Mapping ## ###################### - rename: - field: junipersrx.firewall.policy-name + field: juniper.srx.policy-name target_field: rule.name ignore_missing: true - if: "ctx.junipersrx?.firewall['policy-name'] != null" + if: "ctx.juniper?.srx['policy-name'] != null" ##################### ## ECS URL Mapping ## ##################### - rename: - field: junipersrx.firewall.url + field: juniper.srx.url target_field: url.domain ignore_missing: true - if: "ctx.junipersrx?.firewall?.url != null" + if: "ctx.juniper?.srx?.url != null" - rename: - field: junipersrx.firewall.obj + field: juniper.srx.obj target_field: url.path ignore_missing: true - if: "ctx.junipersrx?.firewall?.obj != null" + if: "ctx.juniper?.srx?.obj != null" ###################### ## ECS File Mapping ## ###################### - rename: - field: junipersrx.firewall.filename + field: juniper.srx.filename target_field: file.name ignore_missing: true - if: "ctx.junipersrx?.firewall?.filename != null" + if: "ctx.juniper?.srx?.filename != null" ######################### ## ECS Network Mapping ## ######################### - rename: - field: junipersrx.firewall.protocol + field: juniper.srx.protocol target_field: network.protocol ignore_missing: true - if: "ctx.junipersrx?.firewall?.protocol != null" + if: "ctx.juniper?.srx?.protocol != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: junipersrx.firewall.protocol-id + field: juniper.srx.protocol-id target_field: network.iana_number ignore_missing: true - if: "ctx.junipersrx?.firewall['protocol-id'] != null" + if: "ctx.juniper?.srx['protocol-id'] != null" - geoip: field: source.ip target_field: source.geo @@ -372,14 +372,14 @@ processors: ############# - remove: field: - - junipersrx.firewall.destination-port - - junipersrx.firewall.nat-destination-port - - junipersrx.firewall.bytes-from-client - - junipersrx.firewall.packets-from-client - - junipersrx.firewall.source-port - - junipersrx.firewall.nat-source-port - - junipersrx.firewall.bytes-from-server - - junipersrx.firewall.packets-from-server + - juniper.srx.destination-port + - juniper.srx.nat-destination-port + - juniper.srx.bytes-from-client + - juniper.srx.packets-from-client + - juniper.srx.source-port + - juniper.srx.nat-source-port + - juniper.srx.bytes-from-server + - juniper.srx.packets-from-server ignore_missing: true on_failure: diff --git a/filebeat/module/junipersrx/firewall/manifest.yml b/x-pack/filebeat/module/juniper/srx/manifest.yml similarity index 83% rename from filebeat/module/junipersrx/firewall/manifest.yml rename to x-pack/filebeat/module/juniper/srx/manifest.yml index 46c09a3f80bb..6cfd34855f77 100644 --- a/filebeat/module/junipersrx/firewall/manifest.yml +++ b/x-pack/filebeat/module/juniper/srx/manifest.yml @@ -4,7 +4,7 @@ var: - name: syslog_host default: localhost - name: tags - default: [junipersrx-firewall, forwarded] + default: [juniper-srx, forwarded] - name: syslog_port default: 9006 - name: input @@ -19,7 +19,7 @@ ingest_pipeline: - ingest/atp.yml - ingest/secintel.yml -input: config/firewall.yml +input: config/srx.yml requires.processors: - name: geoip diff --git a/filebeat/module/junipersrx/firewall/test/atp.log b/x-pack/filebeat/module/juniper/srx/test/atp.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/atp.log rename to x-pack/filebeat/module/juniper/srx/test/atp.log diff --git a/filebeat/module/junipersrx/firewall/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/atp.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json diff --git a/filebeat/module/junipersrx/firewall/test/flow.log b/x-pack/filebeat/module/juniper/srx/test/flow.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/flow.log rename to x-pack/filebeat/module/juniper/srx/test/flow.log diff --git a/filebeat/module/junipersrx/firewall/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/flow.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json diff --git a/filebeat/module/junipersrx/firewall/test/idp.log b/x-pack/filebeat/module/juniper/srx/test/idp.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/idp.log rename to x-pack/filebeat/module/juniper/srx/test/idp.log diff --git a/filebeat/module/junipersrx/firewall/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/idp.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json diff --git a/filebeat/module/junipersrx/firewall/test/ids.log b/x-pack/filebeat/module/juniper/srx/test/ids.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/ids.log rename to x-pack/filebeat/module/juniper/srx/test/ids.log diff --git a/filebeat/module/junipersrx/firewall/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/ids.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json diff --git a/filebeat/module/junipersrx/firewall/test/secintel.log b/x-pack/filebeat/module/juniper/srx/test/secintel.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/secintel.log rename to x-pack/filebeat/module/juniper/srx/test/secintel.log diff --git a/filebeat/module/junipersrx/firewall/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/secintel.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json diff --git a/filebeat/module/junipersrx/firewall/test/utm.log b/x-pack/filebeat/module/juniper/srx/test/utm.log similarity index 100% rename from filebeat/module/junipersrx/firewall/test/utm.log rename to x-pack/filebeat/module/juniper/srx/test/utm.log diff --git a/filebeat/module/junipersrx/firewall/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json similarity index 100% rename from filebeat/module/junipersrx/firewall/test/utm.log-expected.json rename to x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index e3359756d906..846a28fad633 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -20,6 +20,7 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local +<<<<<<< HEAD netscreen: enabled: true @@ -39,3 +40,17 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local +======= + srx: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9006. + #var.syslog_port: 9006 +>>>>>>> stashing changes for later From 8a315be71c8c8deae6f9ac57a74032596daeb2cf Mon Sep 17 00:00:00 2001 From: P1llus Date: Thu, 20 Aug 2020 07:09:01 +0200 Subject: [PATCH 03/14] Initial MVP release ready for review --- filebeat/docs/fields.asciidoc | 248 +++---- x-pack/filebeat/module/juniper/fields.go | 2 +- .../module/juniper/srx/_meta/fields.yml | 200 +++--- .../module/juniper/srx/ingest/atp.yml | 80 +-- .../module/juniper/srx/ingest/flow.yml | 82 +-- .../module/juniper/srx/ingest/idp.yml | 78 +-- .../module/juniper/srx/ingest/ids.yml | 88 +-- .../module/juniper/srx/ingest/pipeline.yml | 29 +- .../module/juniper/srx/ingest/secintel.yml | 78 +-- .../module/juniper/srx/ingest/utm.yml | 78 +-- .../juniper/srx/test/atp.log-expected.json | 126 ++-- .../juniper/srx/test/flow.log-expected.json | 608 +++++++++--------- .../juniper/srx/test/idp.log-expected.json | 294 +++++---- .../juniper/srx/test/ids.log-expected.json | 240 +++---- .../srx/test/secintel.log-expected.json | 72 +-- .../juniper/srx/test/utm.log-expected.json | 246 +++---- 16 files changed, 1281 insertions(+), 1268 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 923c030fec49..9593f39f8d02 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -88081,13 +88081,13 @@ type: keyword -- [float] -=== srx +=== juniper.srx Module for parsing junipersrx syslog. -*`srx.reason`*:: +*`juniper.srx.reason`*:: + -- reason @@ -88097,7 +88097,7 @@ type: keyword -- -*`srx.source-address`*:: +*`juniper.srx.source_address`*:: + -- source address @@ -88107,7 +88107,7 @@ type: ip -- -*`srx.source-port`*:: +*`juniper.srx.source_port`*:: + -- source port @@ -88117,7 +88117,7 @@ type: integer -- -*`srx.destination-address`*:: +*`juniper.srx.destination_address`*:: + -- destination address @@ -88127,7 +88127,7 @@ type: ip -- -*`srx.destination-port`*:: +*`juniper.srx.destination_port`*:: + -- destination port @@ -88137,7 +88137,7 @@ type: integer -- -*`srx.connection-tag`*:: +*`juniper.srx.connection_tag`*:: + -- connection tag @@ -88147,7 +88147,7 @@ type: keyword -- -*`srx.service-name`*:: +*`juniper.srx.service_name`*:: + -- service name @@ -88157,7 +88157,7 @@ type: keyword -- -*`srx.nat-source-address`*:: +*`juniper.srx.nat_source_address`*:: + -- nat source address @@ -88167,7 +88167,7 @@ type: ip -- -*`srx.nat-source-port`*:: +*`juniper.srx.nat_source_port`*:: + -- nat source port @@ -88177,7 +88177,7 @@ type: integer -- -*`srx.nat-destination-address`*:: +*`juniper.srx.nat_destination_address`*:: + -- nat destination address @@ -88187,7 +88187,7 @@ type: ip -- -*`srx.nat-destination-port`*:: +*`juniper.srx.nat_destination_port`*:: + -- nat destination port @@ -88197,7 +88197,7 @@ type: integer -- -*`srx.nat-connection-tag`*:: +*`juniper.srx.nat_connection_tag`*:: + -- nat connection tag @@ -88207,7 +88207,7 @@ type: keyword -- -*`srx.src-nat-rule-type`*:: +*`juniper.srx.src_nat_rule_type`*:: + -- src nat rule type @@ -88217,7 +88217,7 @@ type: keyword -- -*`srx.src-nat-rule-name`*:: +*`juniper.srx.src_nat_rule_name`*:: + -- src nat rule name @@ -88227,7 +88227,7 @@ type: keyword -- -*`srx.dst-nat-rule-type`*:: +*`juniper.srx.dst_nat_rule_type`*:: + -- dst nat rule type @@ -88237,7 +88237,7 @@ type: keyword -- -*`srx.dst-nat-rule-name`*:: +*`juniper.srx.dst_nat_rule_name`*:: + -- dst nat rule name @@ -88247,7 +88247,7 @@ type: keyword -- -*`srx.protocol-id`*:: +*`juniper.srx.protocol_id`*:: + -- protocol id @@ -88257,7 +88257,7 @@ type: keyword -- -*`srx.policy-name`*:: +*`juniper.srx.policy_name`*:: + -- policy name @@ -88267,7 +88267,7 @@ type: keyword -- -*`srx.source-zone-name`*:: +*`juniper.srx.source_zone_name`*:: + -- source zone name @@ -88277,7 +88277,7 @@ type: keyword -- -*`srx.source-zone`*:: +*`juniper.srx.source_zone`*:: + -- source zone @@ -88287,7 +88287,7 @@ type: keyword -- -*`srx.destination-zone-name`*:: +*`juniper.srx.destination_zone_name`*:: + -- destination zone name @@ -88297,7 +88297,7 @@ type: keyword -- -*`srx.destination-zone`*:: +*`juniper.srx.destination_zone`*:: + -- destination zone @@ -88307,7 +88307,7 @@ type: keyword -- -*`srx.session-id-32`*:: +*`juniper.srx.session_id_32`*:: + -- session id 32 @@ -88317,7 +88317,7 @@ type: keyword -- -*`srx.session-id`*:: +*`juniper.srx.session_id`*:: + -- session id @@ -88327,7 +88327,7 @@ type: keyword -- -*`srx.packets-from-client`*:: +*`juniper.srx.packets_from_client`*:: + -- packets from client @@ -88337,7 +88337,7 @@ type: integer -- -*`srx.outbound-packets`*:: +*`juniper.srx.outbound_packets`*:: + -- packets from client @@ -88347,7 +88347,7 @@ type: integer -- -*`srx.bytes-from-client`*:: +*`juniper.srx.bytes_from_client`*:: + -- bytes from client @@ -88357,7 +88357,7 @@ type: integer -- -*`srx.outbound-bytes`*:: +*`juniper.srx.outbound_bytes`*:: + -- bytes from client @@ -88367,7 +88367,7 @@ type: integer -- -*`srx.packets-from-server`*:: +*`juniper.srx.packets_from_server`*:: + -- packets from server @@ -88377,7 +88377,7 @@ type: integer -- -*`srx.inbound-packets`*:: +*`juniper.srx.inbound_packets`*:: + -- packets from server @@ -88387,7 +88387,7 @@ type: integer -- -*`srx.bytes-from-server`*:: +*`juniper.srx.bytes_from_server`*:: + -- bytes from server @@ -88397,7 +88397,7 @@ type: integer -- -*`srx.inbound-bytes`*:: +*`juniper.srx.inbound_bytes`*:: + -- bytes from server @@ -88407,7 +88407,7 @@ type: integer -- -*`srx.elapsed-time`*:: +*`juniper.srx.elapsed_time`*:: + -- elapsed time @@ -88417,7 +88417,7 @@ type: date -- -*`srx.application`*:: +*`juniper.srx.application`*:: + -- application @@ -88427,7 +88427,7 @@ type: keyword -- -*`srx.nested-application`*:: +*`juniper.srx.nested_application`*:: + -- nested application @@ -88437,7 +88437,7 @@ type: keyword -- -*`srx.username`*:: +*`juniper.srx.username`*:: + -- username @@ -88447,7 +88447,7 @@ type: keyword -- -*`srx.roles`*:: +*`juniper.srx.roles`*:: + -- roles @@ -88457,7 +88457,7 @@ type: keyword -- -*`srx.packet-incoming-interface`*:: +*`juniper.srx.packet_incoming_interface`*:: + -- packet incoming interface @@ -88467,7 +88467,7 @@ type: keyword -- -*`srx.encrypted`*:: +*`juniper.srx.encrypted`*:: + -- encrypted @@ -88477,7 +88477,7 @@ type: keyword -- -*`srx.application-category`*:: +*`juniper.srx.application_category`*:: + -- application category @@ -88487,7 +88487,7 @@ type: keyword -- -*`srx.application-sub-category`*:: +*`juniper.srx.application_sub_category`*:: + -- application sub category @@ -88497,7 +88497,7 @@ type: keyword -- -*`srx.application-risk`*:: +*`juniper.srx.application_risk`*:: + -- application risk @@ -88507,7 +88507,7 @@ type: integer -- -*`srx.urlcategory-risk`*:: +*`juniper.srx.urlcategory_risk`*:: + -- urlcategory risk @@ -88517,7 +88517,7 @@ type: integer -- -*`srx.application-characteristics`*:: +*`juniper.srx.application_characteristics`*:: + -- application characteristics @@ -88527,7 +88527,7 @@ type: keyword -- -*`srx.secure-web-proxy-session-type`*:: +*`juniper.srx.secure_web_proxy_session_type`*:: + -- secure web proxy session type @@ -88537,7 +88537,7 @@ type: keyword -- -*`srx.peer-session-id`*:: +*`juniper.srx.peer_session_id`*:: + -- peer session id @@ -88547,7 +88547,7 @@ type: keyword -- -*`srx.peer-source-address`*:: +*`juniper.srx.peer_source_address`*:: + -- peer source address @@ -88557,7 +88557,7 @@ type: ip -- -*`srx.peer-source-port`*:: +*`juniper.srx.peer_source_port`*:: + -- peer source port @@ -88567,7 +88567,7 @@ type: integer -- -*`srx.peer-destination-address`*:: +*`juniper.srx.peer_destination_address`*:: + -- peer destination address @@ -88577,7 +88577,7 @@ type: ip -- -*`srx.peer-destination-port`*:: +*`juniper.srx.peer_destination_port`*:: + -- peer destination port @@ -88587,7 +88587,7 @@ type: integer -- -*`srx.hostname`*:: +*`juniper.srx.hostname`*:: + -- hostname @@ -88597,27 +88597,27 @@ type: keyword -- -*`srx.src-vrf-grp`*:: +*`juniper.srx.src_vrf_grp`*:: + -- -src-vrf-grp +src_vrf_grp type: keyword -- -*`srx.dst-vrf-grp`*:: +*`juniper.srx.dst_vrf_grp`*:: + -- -dst-vrf-grp +dst_vrf_grp type: keyword -- -*`srx.icmp-type`*:: +*`juniper.srx.icmp_type`*:: + -- icmp type @@ -88627,7 +88627,7 @@ type: integer -- -*`srx.process`*:: +*`juniper.srx.process`*:: + -- process that generated the message @@ -88637,7 +88637,7 @@ type: keyword -- -*`srx.apbr-rule-type`*:: +*`juniper.srx.apbr_rule_type`*:: + -- apbr rule type @@ -88647,7 +88647,7 @@ type: keyword -- -*`srx.dscp-value`*:: +*`juniper.srx.dscp_value`*:: + -- apbr rule type @@ -88657,7 +88657,7 @@ type: integer -- -*`srx.logical-system-name`*:: +*`juniper.srx.logical_system_name`*:: + -- logical system name @@ -88667,7 +88667,7 @@ type: keyword -- -*`srx.destination-interface-name`*:: +*`juniper.srx.destination_interface_name`*:: + -- destination interface name @@ -88677,7 +88677,7 @@ type: keyword -- -*`srx.profile-name`*:: +*`juniper.srx.profile_name`*:: + -- profile name @@ -88687,7 +88687,7 @@ type: keyword -- -*`srx.routing-instance`*:: +*`juniper.srx.routing_instance`*:: + -- routing instance @@ -88697,7 +88697,7 @@ type: keyword -- -*`srx.rule-name`*:: +*`juniper.srx.rule_name`*:: + -- rule name @@ -88707,7 +88707,7 @@ type: keyword -- -*`srx.uplink-tx-bytes`*:: +*`juniper.srx.uplink_tx_bytes`*:: + -- uplink tx bytes @@ -88717,7 +88717,7 @@ type: integer -- -*`srx.uplink-rx-bytes`*:: +*`juniper.srx.uplink_rx_bytes`*:: + -- uplink rx bytes @@ -88727,7 +88727,7 @@ type: integer -- -*`srx.obj`*:: +*`juniper.srx.obj`*:: + -- url path @@ -88737,7 +88737,7 @@ type: keyword -- -*`srx.url`*:: +*`juniper.srx.url`*:: + -- url domain @@ -88747,7 +88747,7 @@ type: keyword -- -*`srx.profile`*:: +*`juniper.srx.profile`*:: + -- filter profile @@ -88757,7 +88757,7 @@ type: keyword -- -*`srx.category`*:: +*`juniper.srx.category`*:: + -- filter category @@ -88767,7 +88767,7 @@ type: keyword -- -*`srx.filename`*:: +*`juniper.srx.filename`*:: + -- filename @@ -88777,17 +88777,17 @@ type: keyword -- -*`srx.temporary-filename`*:: +*`juniper.srx.temporary_filename`*:: + -- -temporary-filename +temporary_filename type: keyword -- -*`srx.name`*:: +*`juniper.srx.name`*:: + -- name @@ -88797,27 +88797,27 @@ type: keyword -- -*`srx.error-message`*:: +*`juniper.srx.error_message`*:: + -- -error-message +error_message type: keyword -- -*`srx.error-code`*:: +*`juniper.srx.error_code`*:: + -- -error-code +error_code type: keyword -- -*`srx.action`*:: +*`juniper.srx.action`*:: + -- action @@ -88827,7 +88827,7 @@ type: keyword -- -*`srx.protocol`*:: +*`juniper.srx.protocol`*:: + -- protocol @@ -88837,7 +88837,7 @@ type: keyword -- -*`srx.protocol-name`*:: +*`juniper.srx.protocol_name`*:: + -- protocol name @@ -88847,7 +88847,7 @@ type: keyword -- -*`srx.type`*:: +*`juniper.srx.type`*:: + -- type @@ -88857,7 +88857,7 @@ type: keyword -- -*`srx.repeat-count`*:: +*`juniper.srx.repeat_count`*:: + -- repeat count @@ -88867,7 +88867,7 @@ type: integer -- -*`srx.alert`*:: +*`juniper.srx.alert`*:: + -- repeat alert @@ -88877,7 +88877,7 @@ type: keyword -- -*`srx.message-type`*:: +*`juniper.srx.message_type`*:: + -- message type @@ -88887,7 +88887,7 @@ type: keyword -- -*`srx.threat-severity`*:: +*`juniper.srx.threat_severity`*:: + -- threat severity @@ -88897,7 +88897,7 @@ type: keyword -- -*`srx.application-name`*:: +*`juniper.srx.application_name`*:: + -- application name @@ -88907,7 +88907,7 @@ type: keyword -- -*`srx.attack-name`*:: +*`juniper.srx.attack_name`*:: + -- attack name @@ -88917,7 +88917,7 @@ type: keyword -- -*`srx.index`*:: +*`juniper.srx.index`*:: + -- index @@ -88927,7 +88927,7 @@ type: keyword -- -*`srx.message`*:: +*`juniper.srx.message`*:: + -- mesagge @@ -88937,7 +88937,7 @@ type: keyword -- -*`srx.epoch-time`*:: +*`juniper.srx.epoch_time`*:: + -- epoch time @@ -88947,7 +88947,7 @@ type: date -- -*`srx.packet-log-id`*:: +*`juniper.srx.packet_log_id`*:: + -- packet log id @@ -88957,7 +88957,7 @@ type: integer -- -*`srx.export-id`*:: +*`juniper.srx.export_id`*:: + -- packet log id @@ -88967,7 +88967,7 @@ type: integer -- -*`srx.ddos-application-name`*:: +*`juniper.srx.ddos_application_name`*:: + -- ddos application name @@ -88977,7 +88977,7 @@ type: keyword -- -*`srx.connection-hit-rate`*:: +*`juniper.srx.connection_hit_rate`*:: + -- connection hit rate @@ -88987,7 +88987,7 @@ type: integer -- -*`srx.time-scope`*:: +*`juniper.srx.time_scope`*:: + -- time scope @@ -88997,7 +88997,7 @@ type: keyword -- -*`srx.context-hit-rate`*:: +*`juniper.srx.context_hit_rate`*:: + -- context hit rate @@ -89007,7 +89007,7 @@ type: integer -- -*`srx.context-value-hit-rate`*:: +*`juniper.srx.context_value_hit_rate`*:: + -- context value hit rate @@ -89017,7 +89017,7 @@ type: integer -- -*`srx.time-count`*:: +*`juniper.srx.time_count`*:: + -- time count @@ -89027,7 +89027,7 @@ type: integer -- -*`srx.time-period`*:: +*`juniper.srx.time_period`*:: + -- time period @@ -89037,7 +89037,7 @@ type: integer -- -*`srx.context-value`*:: +*`juniper.srx.context_value`*:: + -- context value @@ -89047,7 +89047,7 @@ type: keyword -- -*`srx.context-name`*:: +*`juniper.srx.context_name`*:: + -- context name @@ -89057,7 +89057,7 @@ type: keyword -- -*`srx.ruleebase-name`*:: +*`juniper.srx.ruleebase_name`*:: + -- ruleebase name @@ -89067,7 +89067,7 @@ type: keyword -- -*`srx.interface-name`*:: +*`juniper.srx.interface_name`*:: + -- interface name @@ -89077,7 +89077,7 @@ type: keyword -- -*`srx.verdict-source`*:: +*`juniper.srx.verdict_source`*:: + -- verdict source @@ -89087,7 +89087,7 @@ type: keyword -- -*`srx.verdict-number`*:: +*`juniper.srx.verdict_number`*:: + -- verdict number @@ -89097,7 +89097,7 @@ type: integer -- -*`srx.http-host`*:: +*`juniper.srx.http_host`*:: + -- http host @@ -89107,7 +89107,7 @@ type: keyword -- -*`srx.file-category`*:: +*`juniper.srx.file_category`*:: + -- file category @@ -89117,7 +89117,7 @@ type: keyword -- -*`srx.sample-sha256`*:: +*`juniper.srx.sample_sha256`*:: + -- sample sha256 @@ -89127,7 +89127,7 @@ type: keyword -- -*`srx.malware-info`*:: +*`juniper.srx.malware_info`*:: + -- malware info @@ -89137,7 +89137,7 @@ type: keyword -- -*`srx.client-ip`*:: +*`juniper.srx.client_ip`*:: + -- client ip @@ -89147,7 +89147,7 @@ type: ip -- -*`srx.tenant-id`*:: +*`juniper.srx.tenant_id`*:: + -- tenant id @@ -89157,7 +89157,7 @@ type: keyword -- -*`srx.timestamp`*:: +*`juniper.srx.timestamp`*:: + -- timestamp @@ -89167,7 +89167,7 @@ type: date -- -*`srx.th`*:: +*`juniper.srx.th`*:: + -- th @@ -89177,7 +89177,7 @@ type: keyword -- -*`srx.status`*:: +*`juniper.srx.status`*:: + -- status @@ -89187,7 +89187,7 @@ type: keyword -- -*`srx.state`*:: +*`juniper.srx.state`*:: + -- state @@ -89197,7 +89197,7 @@ type: keyword -- -*`srx.file-hash-lookup`*:: +*`juniper.srx.file_hash_lookup`*:: + -- file hash lookup @@ -89207,7 +89207,7 @@ type: keyword -- -*`srx.file-name`*:: +*`juniper.srx.file_name`*:: + -- file name @@ -89217,7 +89217,7 @@ type: keyword -- -*`srx.action-detail`*:: +*`juniper.srx.action_detail`*:: + -- action detail @@ -89227,7 +89227,7 @@ type: keyword -- -*`srx.sub-category`*:: +*`juniper.srx.sub_category`*:: + -- sub category @@ -89237,7 +89237,7 @@ type: keyword -- -*`srx.feed-name`*:: +*`juniper.srx.feed_name`*:: + -- feed name @@ -89247,7 +89247,7 @@ type: keyword -- -*`srx.occur-count`*:: +*`juniper.srx.occur_count`*:: + -- occur count @@ -89257,7 +89257,7 @@ type: integer -- -*`srx.tag`*:: +*`juniper.srx.tag`*:: + -- system log message tag, which uniquely identifies the message. diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 3866229dded9..a430581f58c5 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhLDnXLlm3tjW52LrTd8rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsNlBs7d18mLCaZCKRSCTyPc/QLd28Qn9UgpVU/QtChhlOX6H/cH9A//Hp/W83/4JQTjVRrDRMilfob/+CEKp/g+aM8lyf/wvy//UKPrX/O0MCF/QVEtSspbo9Z8JQNceEntu/N19DSK6oWitm6CtkVNX+xGxK+sriuJYqb/09p3NccZPBkq/QHHNNOx8P0K3/9x4XFMk5MktaI4YaxNB6SRWFz4zC8zkjaIk1mlEqkJxpqlY0Px/sT2l8j80slKzKw7fSJ+p2WcBaYN7Z3vjqY+uHltguUuhF5++7Vxg/sMGpfFwybb+HmEaVpjkyEhFcmsrTX+E1KqjWeGH/jQ0isqDablraz3ugEXorF+iSEpkDGwc24mCxPlLHbqeGS1dUmMxuLTJgj3Bi6nuSa6A5kcJQYbS9H0xog4Wp0dBBHA0rjkEwx6b/wRA75nCySyBs0HrJyBJhpKnWTAq0ZEYjjN5T8zszgmpdn/75gDWazeqlrHiOBF1RhWa04bsSK03RO2qwRQ2juZJFa6knb+VCP7/G5JYa/XQA/pIpSgzfPEPG443RB+qEheNw0ULzPEhITleUH0FJLkX/fnYoeUlLRQk2HpOczpmgOZKCA1oGzzhFBS7DWBV6kUW7MDvO+J2/51eXP6AV5pW/8SynwrA589xJ7zAxiMuFOy81OAjYHbPgPbfA9+xxlFgZRiqOFfzeH+z5KGcMQB/FKSHOGEAe55TRI1lNeyYv/t+Z7D4Tu2qaA3nY9ZWzPzLYSP9YHg12K3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU5jEitrQ61WNEjInjEEurMdWS4/FyWk7xMdIjLdnmlOYxbagRvSZkZ7a+WLsFLDYDPWSgJDzMiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2QgpiHwds5GO3bEfEzYqlFYdt6l7YZdicEdy+z2/lAr1ZUWHQDQhnVImcKmuCKOoF1WDrc3ZHc6SpsUA6P+6uoccNlvoQBrAfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70WApdSJ9tc2Xv0pt2iKS9zlSU5Ezsag/1CG2afmQvh76smMYbPCjUcJeXa9+QjjPlZWVY9e9T9zB7o38Wom7epmavC//7yWvpVZ62dCXC86R1vaW5QijBVtR0TjJvl5FwJLoOP9FWgskf4zK39cR0Rh1aMhykyn6JcFZt4OHcMCw79kGqPzGLY2u4SI9895sg9HHTUkRwUMJMqOIMrOkCn26EuaHl0gq9AuX2Pz4As2wBi6qA2RztqgUqH579n2MuvsV7xvCoOmMzwj+BfvrhUzlZttlHdcrf/UOBqnWWOXJlLqWRGttu03Jq+vPHX0PI0U57h8pQnqjDS38I+rRttCW1HGqdsSz/5aKLZjAvP5NV1vZQ4dU+teOxIir688vAyTw6A8o8XASNBgNqRzj9dky6lBxPPb1WVKcUzVJ7PpXWApdXT4kSurwbQdLAcxxsdJH7WTjJEvuZ8O1onW1VbTgoljT5UJyTomR6msUwJZ6J8i5sTzHNCKOdDS3mHYU1beyr7agHYR+hBZfQWaPRVUtpIZkt0IKNNsMDg0hRb9UVBsLULOi5Bt/TvbLVtAjiskSaZZT9OR7ZJaqQi9+/vkpWmONNKWiWWUHJR6F8noAJXQphabpSEG+Gq4gshKm8SlUxcwJPXuVdRACeoJnckVbxGAimFlZizdtFMXF6P0hXw3bnJhUNGdVX0+LQahvQppj41hgc8TMP6sX3//wF+1E+vMSBGiN9D8Hu/mntQff4g1V6AV6IwgudcVdZMWalPeS6yHoDwx+BHIrQ6v8+AL9m93uM/Tjj+jfEJHK6suwC7/oM/Q/uPlf9otMoy5RvgkeoZA5fbS2rljTjGDOZ5jcptWAHXJCGrg22Di7whKRiryUTBgwTQwNJzgDc2RUKZkoP22rD+qSEoY5YAyYaiOV1azFxmkd9oMV5ix3jBFCCqG5rERuXxhOAXkmFl452pu82L0RA8gxYoH+OuwIG42cwoZLnD+Wd86jgzT7k6KCGsVIwOrwpnD7y2ALu+e+FsL22cdmq9HKeX1s5+hXubZHM7Q5mUBSWWPMSHRLabmHaI/ixftKiKYkoVpnK5Zneaqo65ta8iyooAobuOS5pWDLLlwxZSrMrdHe8b2LgIuDFcya3RArB2K4XfirfnWJlJXWGhwqQDSsFtQ0X9tLCa0SJT2dnBIuE243JVSSUNBQ8F9d1r7XD7SQhqIbz+9EUXhoZ5sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlzvgJYvR2VWscXV+8vva6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqV2Tflq+5Otwe70HLDMz9GLn1+iNdC9oFggzHnYVwBOfVCTtv4jtKaKOrDYIE6xNkiKXrlIl4gnVxO/biIG7mqKsK2n3e9S5UA4yGqiZCkkl4tNPxA3Z2qgxSL0MyJLrDAxjoj2Um8Af3CaC1QJn9PDOz7z0Yra2AXdLlCfMoiwI3YJFkVhlUwp6jCCwutRmQaStadWYgIaq4tRCO9zkIRUqoaoDRY5VjkSUhWYsz9D+b1SFUH65D7L4WgSyWo2eJLuRaQt1g0yzzmbU9hxwMDXlEiRjyjY2+POtEnpZ9mxISaILEpOTZABRp2oGBR4o1hPDLbqzZQ5ESPf2LWD7DzGyl3OHGW/QgqzjHRM2/rUWDkv2yyn/ESEfyPyFGS3IP+UInW3hR1i0a5eq5guvfZjn8IDEZXsRr9Ght4Zf/nQiirdKqfId+WBBc73ocy2oTjWNrdlekSqnObp3kGfZOOfKd2sWOsYdaZN88V2fH34WilZnAPUCoryNaECKyadWl9U3LAzw6hCuCx5Xf2y7WVTYIEXodJchDiEd2p70SHlcNWImW81kmvhImMGF2XfM+gxtqtZFIe3z2hElsxaNzKn+hy9q7QBM6kN1N5KbEbycrGhRx7STgE2n1u8V3QKTQgOuV7Q0U7ROVVUEMcQ2KrWOVux3Go2wA9hQXZTC7KPPeKFN3lXMjXZDrfn6WJBd5YTmeEbt1lthZ7V1yxSwKC7faMRD33UhfPMSuNGnp0PlmzSyWQVWwIVA0XuoRAb+se+KqBBfqloNRkrWe52XLSVj2usESCRj/ANIPdDbKJGVAo6BE0g0xaFSfD6LooUuJZZAlTLLIX2XMYURV2gL6JDTaArtV6R05iQPfMx+MYMnst7vTnHis19cu2YYMH2geh1Q4jtCMJkoMTHUKx1xVOHnUasKFkZIgv63OHQGC+QlS3nAw7BwpOgY0COMAhdUcVMytKRHRurV/dFgK3Izi6XT9rixUHvQPdKN5UuFhrEnUpK2JxtDZ+wduuCOWM9VbyunD6bKXAAjYuR5duCidpFlfsgSxBvbzZPdQifu1Z62xKUCv1241Njma4TAvp+NVi/PqGxKkldSs0iCo6DeAvMaZG7DlOQyl/f3dEuPBU3WbrWRfcURaIqqGLkvrIouLcJqth2bKxdydbcDCeW3P0ebG1FRS6VT5jduTM5++ME3Wvq0K6c/UFJ2I62iKWvBR+Q20rQ3Yg5SZ+yV903wwvpq/69mPFeriVucouFNAijpe94EU6g5XKR1YkqJxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0Q11h1Jpqs7xgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8WiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOJM0ZKCJbMr+wHMhimfHFIpZS9MY6/ASYIe95y5CFsd/hnsbM3M0ivLTtajS1hwBtUmAklxtpD2v3e8BKCkZAHFMeG+cSsY+BwQsEjKObLSwTCqz9HNVqb0Bxu0K6vSYHzhyvkqbY0YVzLqkm1yL3494TEivNKmZkj/j8ExwU+Ytifpa6K9f8MqvvDpuAo0ufbjbljYondtmdIpZd/uM7wslpeABcJaS8LAX2pPI2hPwoG9Zbf0FcKoXG40I5ijnOnbZ6hUMBPlGaKGfBtWlLHCx9Re3vOhd3U2ChfUUKVRiTV08dLQyMH1IiCyKKwUk52g/bC0hhqyU91z78GpNL7WGSZ4mJz4JrIoq+EdTHBsGK2ZyOXa59MSKQgtzbMmk2KUGINtzivON+hLhblzfuaywEx4qSFaC3E58nS1vZ6x1KUdW7cq4Vsmbmnua4HqRHSswTvlDRT7yTcNaucs33VwfNAVIqmoa092cm6JPgI1ejDS6iR4/VZ6zyu6GbbraYLOVBWsP9gptYvVrwnYOv7frWn/GFnTnjOe/o43W/4FVmuusaJ5RSiqI0c07G7TVDHMs8BrmuwRuYEla7W5/z62HkD7woz6BSi51Ue1HIjhMfar24duifWyuaFWLQxUGVZk6TJ/6xqbpszwoobUaxFmN9Isc64Vsb9q/j2sNEVWngvEIOeuEoRTrOyfoBHeFjVfQOi9naou7NwffXDCrxr2eXrULxaRxYyJpm92+8HyZaPqHq/XiqlKT+3pa2sjgMC4x2+aAGngSly41V1PxnFPqbPgkrvGG/I5L/PVJXrvJM0T37gBuWl7vujX4vY0rFc7B/QpfPkt9/PVJZDUl7w1YmLoPehG5FwaoNvCuWMiKwvWTIeN1JXepOxl343q+gJtpy7s9GMLZ3xPyDWW9BfNwujqcq8mG8s/t0eTtYi9EPlWoz1HF64+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+tpLIaRl1fyOw53zy/uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9d+O5Bflkmva91NQldH+E+LSOsuA5flMsA473/7iJggvMqpFWd+kK39+Tl68uYOFyWnr9C1c4g4sCC9z8N+EYjMTR7bBOfU9mkJY8b0rVW5j8DrHqV4LTfme/80fGD6dkfI1Si2WFCVboRdmGSf27EAjwNop0tF9VLy3HKPs9VHJo12Qu8TeBaGsXcvlZ98cDrG06YZx9VluIzk4Og8kUWZTZx3Bafic69gjKvz7+lqdmbRkQLqU+cwbkbmFRmz0rxaeqKssTbmjbSUCjoPWLle4zcyJQ6rfI3VaTL0hl31rXTF/iGymxhpjfzEClGM3mFS91MOK7dWBE1qx0hxViuoarcUcrZm9KHWimIdPTdYG2yqWIpz44/CjJ/M7LCLz+QdYvnz8ffLvqzVFBhajD4NGh+7u2CxCF/d+h1LPH1vwOSXw7l7xzxnTMgqVoyzVUeiF9HvlJWkMZ0OA4/sT5EBp+7M2GGJ15xbuYd0RQjVel5x9Mauj4jMqbYsUTf7DVsWTOT0LjIBONPmOM3zgbIFFgZTTNVIzKiC+GaBFeOQwRPw4Ln4u1ggDEQ8s78N7kwk4EM5c82FTqQR+9XRkyafs6RKl77o1kmYAcm8irBNiK87PD0dKTJ0bq7he5w6ocQpX02Sl/dVuW/bDzETGuXUYMYDToaZrEzrdyNbk3zy3MzaY4ubPDbAY/whNbQoebJsntcop3PsQ0C+82Udw/fZmlYrXlHF8QYKuYz0jyt6EriR9gOwuv2v6byuAne+em2YqaAxIwpubGsbDBs2PfS6Ro1itfw7BMfGNIGsIrIo7H1Kw0YXDjpirWTfUskVy53/rO4iV1A9mgiVS3J8oPH+3rJfGN9qjaSdlxdWDe5KSHo6jayvV08r6/+QsyP9Tkdv7z/kzAdgwrerZOka515CQrE7+ZvrK3Q1UKjaaCTrWuurS3ZjELGwq6mGXUQ1pO/jD/O51WHl3omIbCbz1BVfg4q7vtLhcUEWlxH1aBm/W4ILGUxQed5yAfvSYZdA28RD2ILlTShnxIlXxLYaB2XgEV7+eEpes++ySvlM1dO9rz+57jl1IAqSNe4oqdpeBJf6NaOh8ta6C9OuxI0JHCFBr3jedYg01ZV4hRnHw0AGalzhCOor51SpkUkL7g4d4+uPF3fzxkrhG0C5AOxgSz7dQLPF+YhEZEU2q/J8E90/w4osah1QC26l6XGNznd6qeJDVExG7HLQK7HLdDVFQQLT7exV13MVVzkzTWXdti+axyg02G5bseFEyTa8sHuTLkssNgVXk1nlF5/foCe+VuJzxa2uPGMcCjggD+zNXSm1/eZTdDZ0NIh+FOZWyLXoGEKakgqaWay60EcmbRI8gQuunxZ6UVe5v/elSW/pApMN+jRqrnE2U/gURfl+4Q6JmUAFZmKucEF3pmOUWMHU3vR9EjrK5TUsi97L3CVHb9sCtrLOAkihPdoXpApYQqSykLp9497TNfq1EmBKvpM55egJE6vz754hJskzNLP/R+3/YYH5RjN9/l04vmhImc05HkzOj61DdTX8i2sEi4KvC+Tkph5+Jec7GzUYmRRT99eZx7Nug6CpsowcRGhVxJW7Pcw+v/sdK4o+ugTg7777/O731x/efPedy7ldYYXZKE+upbqNWbK894L9Xi/YjrCNOsGwiK1E+JqduF1KmucAE/tcbBKYMHOpqNCMxBQgLVdSAoyL+F6QQHwgFtBsjdlwOPGDvQPQ+zw2UHt9Ypeo62qW6FKYWa6Nil35DvXayRxi7bc02jta13ykc5IeW+yyHQw2UGl8scm27sXXu1gQczbqaKq3mswRe+xWg92IAtvsl/eEhfLR/QTv77iwyHv9/8Nw1a3K7Cb/nYTF8paP3iOyE8mTMEcdx92Fn5QTJG11TrZllz4xTUZ7nWUHfTKfgtttwLn7I9N1y2o2RTwMir7mmHFL67qZy7WXGVeX7do26MRlzUFDF4EWBuNZhXXOdWZVxCP2c0ziNaRb++qjC1kUleh7ogbYieMaNz0Uu/f0zvydhnXqBjd9nGb9UNxusMj/XYajZlvcDDbsGMnwYOyGC3eQ05UuGWEyWpboVBY8YL/GSgyDDo8ddS2KMpOphPHN+3fX6DfnR90mpYYR+TJpKsHNf75FXyqqRnq3VlxkivY7daZNbmg5RDfoQ110FkzrarR0EvEhbQOVsccIWKDlUY6jfVBNIDj2YLh5/AENmGNVJDgtCzaBewGXEQuQG6BVHm0qbQdm3G5XHdA5Nn2t8KFwZ1SQZYFVrLKSBu6mxIPxxQ+OPmEySKeKAjNbRucFQudxC6gawPMFtFpKAFbO/kgAtcTRJ2G4jlPR2QuC7hmL/eD4zm0FtapndKRFhgkMRolffmJhaxHReG8Bni3K1U/iziyjv+9EZMSoLNdR+663oFvIx0WeDgC84ji6xBAZFQsmIhZFDkGnyI0W2TzTa2ZIdPkhsjmXa42L+LkrbdjCrNJBTxB1ISJjIqU4YaKkqphtoiW8D2CX5DYN8BXmKXiFlVmppJFZ/JAUQF/9lIHHMT5snuxucrnI8hTEtoDj578RkRX4LjMmltugC9hyNKcJHoWCiURIM5EO6ZLrjM94Fjss2oH9fULg0TuDt2DH7oXYhh27qrcN++eEsF8mhP2vCWH/z4Sw/5IGtpElxzOaQqQ00OObZyIrKg7K92yT4J2sgZe3CfSSouJsUZRptG+rZWK+iJ2E5CGzFEqJpl9IfN+IyLRLSExwglqRNNakBZzGmtQbXZUJZpES0ZRVJzFVjTTW9KB3CUSIkcYaZqlgg1mTBHgl2J3AQmpKEjDh6qWlSqJHYfVSlmZJcZ7ArSaLMiM8gQ/bAk4QJAG4arYx8d2iFrJOArmssgQxDaKYYQTzBAVEOsMLKsgmYtZVG7bAfPMnzWcp8F5l0AY0CWTXDiYN1i6xNgn02aJcvUzjg9bZjJm/JGk0RnQWd1ZcD7CS0UW1TnLNASolKn6Vm3Y+/miztlqAqVk6P39854gDDmpfEuCum3y8DnIt2HPGaQobRmfzFIfI5jGLs7uAU+gGOmMlJClmSUQdK1c/5dqUg2b+kWBrRZLA5mxOU5gxGhzNBc1ZtILRLmwm0nBJIfOKU01kCmp74GyRQDbJUq+xiTrzvwU9lEEeBbCiC6aNwvE9IVvYCTQ+RctUpFbJaK2hE7lKJF9dZr5j8QTQjaK4SKBIulKgVGinU67XS8l05ibMxoe+wQonYfB8pBA2BuSVm28fGy7TBovoc45zbWaVijUssIZK3aygFFCr6LjG16PrmuTYYGFywzz+sOtjOw3sgrnAeR77DrA8dli1bh2U4C1iRUaUlEWSrkQWcAIzjRVZmuRI3/EoBZnL2+jtmUodv2UpK3WpWGSgHBtmqujZZ5wJGq/FzhaqjjpRp4ELxbfx3Vpcuq6n2ZzL6M95AzxByr+1eaNLHQs0gcSxNnQCVKPnJnC5SMK6YpHkApdSxRZgxaxapLhmBdMkhVgodBKGTTEHQlADzZWiw40uw10D6NgZfw5q7HQ8sV7HtkCSVJRJNwA6uiUq42tGUrFFFpjH9WC4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8U+FKhr0hl7+2Zh4rOVAxo/otfM9IwNd1NG79Za5bMkeeiV4gnewkpTleUsdtV7krEVdWQoBRkM0QYXsb3Bq4wJbfA8gWawYsqkUMNXpUjQuslIVYmYbtZQW7RAR9HXlZHoQyXQYOkmeyThsLzPmLMcXSiaM4MusMp9N0MN7d/D6LjJWQmpNDYhFMDAEH0E/Q2I5ChUqtPkQzCRjnJvipLLDR0MFtxLv7msojX1PpDHLA2dzwjmnSm6oHeowP1GC9tYrFhU/WEgyZHkTMNwhnp1f/TQQAnpqiylMmjYeBSh9RIbxAwqFZ2PscID0nLvM4QiRHhvdTQoICZ8Z/eRvtCcidQT+Vuo2tXaeGpk5IKaJVXn2+/rpawGLxpCgq6oasYRGYlKrDRF76jBMBHc3VXckODJW7nQz69d2etTdOlHfD1DZhmYUgTNgD9QP/oY0BboPTW/MyOoDp/zkKmTEG8OI7ubWwSLu81qihVZnjPBgvjBzN0J+mv3xCfMwoBkiOccVwJm/S4qmONaN3EPN3Dv9Wvfsaf07bibPTVNuP384hFj3x5EFrGm6bDOq7As+kjvDNyKMXfBFNOoRwTSdnDde5hQLfjIxEvonptwHDj0z9XUIEW/VFSbHU27j89Wvn+vfKcywFget6qT2H2PVJN32nWn7MLJYQSxsc7foUO7fhXceczZ//vnG9rFri5roQBrh3kDrIZ4Sbz3ZGH7uMywpsilazfYoMGtak7J/+I0+IpmFHyDuVSufX2QjAhhjTSlMO4M755XpbDQmEww3nfQYdotLUDt3TINqRRMQNuFdElVwZy6MRXS2yXdYA62YpwuKOJ0RTnCWrOFcAe3ndcfZn1oyXxC+Q3r7+D02UkmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLE6LHSw1MqbxdLQrlxsdRq+VzraWvazW2A885gzrbCmT2wTOiGvMNZilsh1qZKViewRPuB8AcpfGYgtvmh/EQjjF6vw119Ia4p37dgnBcvSr/8U5ei02zb8G0A3Y8loYhPNzIouyMlSFxXASN77dWDrz7Jv+WcCMxc6BMPPP6sX3P/zF2r6XreOoKfZNEG3Pp1nciNmhjhu8oQr9a+OT0889GoBc+NbHrv9Jz/Nii3OH63eex5HJy/tk27f9gSl2nXP0/rePb+zeqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Qx3ev0JUwP754hq7eX775r1fo05UwL39CT9bLDRKUmSVViCyl9qPSpFKUGPjWDy//9//39NsgRahZJpRxfXqATD0vcHgcj07Mffe85jeOF69qpMJXPH9cSLdl0x7Mj2wYd/ADH8K3p5hurZPPTJkKc/T29fsgsn9KQdP5so7jjP8jBT0P09ai+9WIUNjIfuEJR/AY3+Ad57DAhq7xCUakA3dfo9d5rsBP67g8hE7z9JKiPDbO+dBYyNXFu2v3Ko2GxwqsJ4x+dJxKTlP1bze6uraojHi/LA2PnAQRhYZ27XEa1ppY5qZrTSsgWujiPGf2y5hvA7atWf7hd25CBrAmIVxw6W/4ZZcFBqhsc62T6HWHPmkYvfcYXktlGpE8ELo5BNjgAJjZ7Je8emLau/0wsagfk3pb78YIL2jIbpzKi+uxA8sXay0Jsyqn8xsNdBxk5bLCYkHPG9OJSDFni0rRHM02AJOKHLKGwnKmPLL1wKBodERbDi46T9DvgEfU/dslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTA5wlYYp6gWpinuA6p+p+UCYiK86z2xKVTy/sWvN3HeX+1tjPhBBrsG7OkSlCDPm5K+gx9qp+xt+AA+xFd1w6wwUvw25imVo/qmUCZGDGNa6S9X/wZwpwHlYly+0VIcMMKEvNWVNk3kAkjkTbwmDOBPl2NChQCCbLJ5FV0kW2ByjLB2DcLWFEdO6PXgk1Q4uJexNip6OBvT4CtG62QcSoW0SdFAs5W+UiohY5ooE7lwbwVgBGIQDrBHGH0i1RrrPLhnG6EXi8g2UshbG/8HeTSzahZUyrCqmfkron3jXFLg3k7VOeQQdAyHjIjBjtkwue5QlpCwYwVS37ERniLK47FFHH8AxyUdYJIy0U52GDXZbmNpKysBbsAA7b78sSOVFICXQhW8frBHRaxx8owUnGsEPSLRjUST97cvXorF3I+D09/pyQzS5r8eDvIfrQLutvYwvuNxdui+7oySyqMTxYfRVtXMTsnHJbQ45YcR/2TpmoUYVkZIqeltF9yHOGbihCq9QjO0Hn8uOZoxyWeAF7IqrgLqTYoUJgwwG0K4dTBkfZwtFIJAny6lMK+K1ZuhZTD5odooCh1d7WK149u5N3EyHUthZoBzmje7Mf7YXr6MBNIM1MF5CeC4gLqRbSHusQa4VyW9nUxS8oUkmuxPTJHOIPvpJDFSF4tzOTQzLWon1aJsMo9E7mVP1LphgAY/cI4Ra89YucDMhzi7BXNxtydHE0Yb/Z/knSFURLc+KyFuFQI7TFAiJj17g8ghMvXu/H1GrEpMZ4QOpMpqwcCm5/RJV4xWYF2SWRRKlmwkQxFOjVybwSecSgim6OL3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekx/OtVHjwc96T8e03TrZnl7s3pNXL9xaCfcVNE0bI9ywgmor1522p2hJR4NI/hSiNYXYexDQePCBx6AOZK1jenefjLV+PGxPP2Q62pDTg7fmHcb7djjYG+x4KxAOEAZf7+5e7N2dmvTs3EWLsje1/+Si9VKdRoDskeONAPl62fHH/UcWa7TBNEd2mHxUk0qQmHfsAPkxKTvG3NuAGRulHkrQen7q6JU7lVlmBTVLeYIoCe54kpFDw39t9MChl5KSSb1OO6I6HyT3/lqLyA6+TOQJ+a/zn7//Hj15e/n6+im6ZNowsaiYXtIcSuGDuHC5kMn7Au2KhEG27Nzh4Y8ZvjiSMaZkYq/irvpPe6ohDJobAx75aEOf73NdCKT9N3W/Lccf4BSKmWIRapO+zRTDPFZ3ut5GPuCcVdqtgKRCmhWMY+XEkxWb9g4ReNfD5VVwzzXLp+w00s6U/2QZofYi9vpibi95ujqL12LXXYewhq80bPl/vZMIPhnwgnfc0FZZRh52ZUqVMjFgELIBUku1wIL9uSOrWqRjhUOJfQSl2zw1Qu45U8Fa0kRdf36xy8Fr4Vp8ud5FnazmXynmZkmwoqhUNJcFEzhYcNcST9fYMCqM3psez/GUu32LT7pZ1/qRlokY116db63gKrEy0Axpu9XdYnXCZkde2BwiUec0pwobmmfRksp28IcVPr/UKzbBs2slVyxvmof57+Gy5F5THTCGb/5jn7WuThtWcLabZPlEu2yW9L3+zGZkm8HhoZA5uWIuer7sK+4jLeAapTPmUPD7ap70DnSm1o9aldCLwEadjgoaK9ZIG6mcxLfQCmowrPYtfOvcfuvb8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efoZJje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU50+fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/a14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJs1CdoM+THV4Quz2H7zbnBj2BjrBUkO0zBKHLpy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77WsewNbH+8COtzNNA67JmDQPZttQqY7hsEJhRtS7C9+hrKBmCMBRyvcYMs5nTPhffUgnKCrX4HLkaaDgN1RhWKJcNs6YHrqX2zB2PhsU+/d91Ia6U3Z+LCNwWRZTNwCf7sqEBwNrKP2cSQZ8jJjIt4Esah3w24ZigrTPp4BIdUu24FjcW20t+X9gamdA6zTvn17sC6xqnnK/vnZdivrJRu0Ukf2dlhb1iW/H7Q9E31miWtrIdUm3YH/VZdY/G1vx5gakW4X9Vo9Dz1Nlix/fQ7Q9+ztZCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew8vZFFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0CXXPzjkYRGVNZxmR8padKOj+O50ht/7WfsZ8TJuP3m12Gw4vKwMq95EjTPff9Q/NEn7KjndHO5/8Ofq4Kd3Wt54DSxx3guOHp+g8i9pMtoe2xcE5ItS3OtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tVz/98XHoXn/j98XlPI7Y85VeHsPL+dE0bP3WbawXPwuLZGrQ22k/uBaNakYmJOlRqJuw73Pcm+2or/XtIH3bMTIFn3JZ63jiFwpSCsLZNeqcASk7HfGxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+nJBYx+fIouYP0walSZiZqljND5gio//JN2sjB3NOelSUPHLUK2Dtwu+q1udYreedLsz2O9kvdvjRI+bXTD/gx7a9htIply9Y83SNCFNMwdYLnEemQClCZTtxVqHaVbfHy4oD3qZBOgBgkuPR6rG6fX9TfhhBTNFlNUVHT7GzVTDz+ODlq20oRpXUVXOgEyJEul89Y9LIYCGFKlkvpAB4fSlp5v7OLoBoLTu6TTJBkSTWdwH0V+cgOpnbsfo5b0PA7J+0vPHTiOi1CtebZK+aL3Q6rekR1EJs8s6+EqeptGnQowu6Xeok7U3OCb7biS9oMEsvUnpCFeJxW6unn9j3fX6Nq+U+g3MTJ9ZYttokrqY7D9uJZhbEEMkSUlt/ooJ/JhQjhtD7LQ0LmmX2fTIgzSQP0Iwq0U3KHlUsUGTSFPoOQ6PJquIKNGA+BssKkmm/DZxnKFOcsdIwaQ6AvCybpa7xKEQLFbutF9sR2J8+sE0siwl8aUOmMwgzYJaDjKFAQh+BHcJrYQdeWLVMxs9twoIosiaZ+4A/F2eHiHULgEf80U5X1LM7aLZc2xyLQ+1cBbu7KT4b/73dY1WkFsXalxVko2RVp1CGGHAQIMAKmwNQBkJUssxKBxRup2U35VQGQkZjtR2+bmYfEzD39/+/q9f/ee95ZvHhQjVd/3H71nG9O32UryKhUBXtdznIWfc9NMxq7H+VaCGY2eOCT0U+jWAYW99UTdHngESAd3w6tE0uytx/WTYManC5x3iw5WVEGmwLziiEhBaGmsoXzjznCkvcJ6nVL6OsJbg70eoW0RLaUySFr6/vrvr0MpuEGyx+Y7qRbTJ1j2Cww6LtYZds1Ogo1i/v7mt+ura/QO3xVM5M1Y7/Cx2r1NnobZGaI4si2/jcHudm2rUZ/CJYvR07NdlWM2n65g89RF+PWWk6sdHWeZl8pXl75Lr8diJ4Z8ukM5ca+AesfFf/u64aYwR+RDTTL27QZ/iTWhT5Td6MdVgxXfBHULV9z7DOkqkKKONfqrNkqKxd9mHJNbzrSh+V+f+789az5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPG8maZ23rv847iP4Z3TOa64yeBOvEJzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEmJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnryVi7082uXVPt0AP7Sp4Nt1QqMPlAnLByHixaaI51k6CqJC+dh0eZCL9Iqz/6M3/l7fnX5gw+4uLZvW+saegLcYWIQlwt3XsO+NrA7mGTtuQW+p7tzh+zv/cGej3LGAPRRnBLijAHkcU4ZPZLVtGfy4v+dye4zsaumOZCHXV85+yML9rp6NNitUoVKH4aaoimzYh9OtlT3/2GYge2XruD+YcjhKmcmg37UjxG9ruH0iBBbRpyoGxUxJo5DLK3GVEuOx8tpOT1qWGxass0pzVMXgYyHLdptE10jSZoP9JCBkvAwK6Knhwyg77Eixqk4fZ15fzBukHyOXINtRiIfClDw3uQjU6jVPjrQqNGq2b//06Zr1F5IQezjgI187JbtiLiBJnUJxWGbuhd2GZf80rrPb+XCj3X1VQzQS86aIIp6QTXY+pzd0RxpCpN2Oz/urqHHDZb6EAawH2ywNIcwAH2vQxl6AuP7l45jzMG+7kGT+9EgYouFHXz5a51X6jmS9zlSU9F0HuZyoUNs0/IhfT30Zccw2OBHo4S9ul79tO0HOHLd+8Qd7N7Ir5W4q5epyfvy/17yJq598jTuywXnSGt7y3KE0YKtqGicZF+vImBJdJz/Iq0Fkj9G5e/riGiMOjRkuckU/ZLgrNvBQzhg2Ldv5vfG9xS7hov0zHuzDXYV1gQPJciM1smjn66E+eElkgr9wiU2P77opnkRKeZsUanx/Jbtvo9Rd7/ifUMY9LGWTYJlPEHPjLHsmLqa6Gt3MEi1xipPptTtnlTvFJLPHX0PI0U5Hqamudaq/hH1aPtmmMCpetvlQyq2YALz+jddbWUPHVLpXzsSI66uP78MkAAFu8miCCRoMBpSOcbrs2XUoeJ47OuzpDhPWF7fMe1gKXR1+ZAoqcO3HSwFMMfFSh+1k42TLLmfDTc5uFtFCy6KNV0uJOfQN/VrFMCWeifIubE8xzQijnT1eLiWovpWDsdZjBP6EVp8BZk9FlW1kNrUhXuzzeDQmklcFqBmRck3/pzslyGZmWKyRJrlFD35HpmlqtCLn39+itbYjxKqV9lBiUehvB5ACT9XJxkpyFfDFW6oSu1TaPqu2qusgxDQEzyTK9oiBguX6NTiTRtFcTF6f8hXwzYnJhXN2VFNE/YR6puQ5tg4FtgcMVP3/QGR/ty1Ca2RHo6z+ieCepENVegFeiMILnXFcdOs7F5yPQT9gcGPQG5laJUfX6B/s9t9hn78Ef0bIlJZfdn1HKiHqf0Pbv6X/SLTqEuUcPsLIXP6aG1dsaYZwZzPMLlNX/qUUyFNPRoN7ApLxLrmBUyTsal0wBzJmxkBy0DDbcwBYzfH3khlNWuxcVqH/aDVjCKEFEJzWYncvjAcBjJo6AhwWPJi90YMIMeIBfrrsCNsNHIKGy5x/ljeOY8O0uxPGEapGAlYHd4Ubn8ZbGH33NdC2D772Gw1Wjmvj+0c/SrX9miGNicTSCprjBmJbikt9xDtUbx4XwnR3GCKbJVy4PmbWvLAWCo3n1rAJP6WXbhiCkamXl12fe8i4OJoz3QHYrhd+Kt+dYmUldYaHCrD2SKj0/8bSiSrZz45JbrzSEby5ZKEgoaCf9v86gN0w29mNBNFsR8ENCIo7f/qQMxXEHjxK2W65Cx195JHa85rlqoQ9oEp0sc1jTqU3+HW2Tegngjkua62WvwT8t8jwujEy2Bc0CQxehgBJBW6vnh97XVfgoUlDytKqfoaL4In8qtLg6geh/vjk3uqwBAPjbpFQ1O+2v5ka7A7PQcs83P04ueXaA10LygWCHMe9hXU1c9ztPUfoTVV1IHFBnGKtUFS9MpFukQ8uZr4dRMxcFdThG097X6XKgfCQVYTJUshuVxs+oG4OVMDLRahnxFZYoWJcUSk0L7IYuEmuKNK+Jwe3vGZj1bUxi7odoH6lEGEXdMWrEVRWCVTijqMoPB6VKaBZO2plZiAxupiFML7HCQhlaohaoNFjlWOhFQF5uzPUH6vVEWQPrnPcjiaRIfNwttBpC3WDTLPOZtT2HHAwNeUSJGPKNjb4860maChfWhDTBBZlJyaIAOMOlExKPDjjaa1wcqciJFv7NpBdh5j5S5njrJfIUX0Tsj5IEHiwU0PRH4iwr8ReQqyW5B/SnGi7jn16rWK6dJrP/YpPBBRyW70awTDuP0Ict8Ot8Yu35UHFjjfhzLbpj8K/OEgFSVS5TRP9w76JBv/TOlmxVrHqDNtmi+24+vD10rJ4hygVlCUrwkVWDHp1Pqi4oadGUYVwmXJ6+qXbS+bAgu8CJXmIsQhvFPbiw4ph6tGzHyrkVwLFxkzuCj7nkGPcT01aXj7jEZkyax1I3Oqz9G7Shswk9pAXfeskbxcbOiRh7RTgM3nFu8VnUITgkOuF3S0c0PTBHEMga1qnbMVy61mA/wQFmQ3tSD72CNeeJN3JVOT7XB7ni4WdGc5kRm+cZvVVuhZfc0iBQy62zca8dD3dPuu5dn5YMltd7UqtgQqoo/ibOgf+6qABvmlotVkrGS523HRVj6uMYw9rdoNuNpoloBcrFEPDVEjKgUdgiaQaYvCJHh9F0UKXMssAapllkJ7LmOKoi7QWKM+tlAT6EqtV+Q0JmTPfAy+MYPn8l5vzrFic59cOyZYsH0get0QYjuCMBko8TEUa13xEzXNl5UhsqDPHQ6N8eIHuAw4BAtPgo4BOcIgdEUVM6lbg451n/ar+yLAsdGkPZfPxIPb3CvdVLpYaBB3cqPut4ZPWLt1wZyxnipeV06fzRQ4gMbFyPLBZNhmEmwQ79AUmYSH8LlrpbctQanQbzc+NZbpOiGg71eD9esTGquS1KXULKLgOIi3wJwW+ba7cHN3R7vwVNxk6VoX3VMUiaqgipH7yqLg3iaa/HxAJVtzM5xYcvd7sLUVFTnMSd4rt+TsjxN0r6lDu3I4nbaNWPpa8AG5YR7wTsScpE/Zq+6b0UmwXsx4L9cSN7nFQhqEm0lq4QRaLhdZnahyEqFeM+K9hfoUPVM6su/vkG4FXauHbb8bxV9yRjZTTNsZkQvXgIBvri34ZkQuVzxl3nSYgB8q3/w/LE6lMPQutcbaIHS1HRVQV1flubb/B48q5jVCoQYwex5nssRiQTNB16llwVjgkq5boX5QQoxRbFYZ2pIQwxx97VC32nr7+RsZSlziaMKuoRwfTOiY5OaAIdjPL3LItPW3gHELFWCWYHXDQb3N+VIrqs7RDXWHUmmqzvGCQitvn+k+l6rGYQC7BuP0dgK/R+73rb4VUqGZkmv7Wf1XUs9xtGbXaD/pq/waKxPbTdcAju1R8XdKDqpDp7pTkufbGaSJrpQsqQ8opnqLXwuEOVWmyS5S20X931x4y4uPVhMASEIKKMw5ElKcKVpSsGR2ZT9MMRel20c/NA3F6XHPmYuw1eGfwc78UI2trEeXsOAMqk0EkuJsIe1/73gJQEnJAopjwn3jVjDwOSBgkZRzBBPmGdXn6GYrU/qDDdqVVWkwvnDlfJW2RowrGXXJNrkXv800E8IrbWqG9P8YHBP8hGl7kr4m2vs3rOILn46rQJNrP+6GhS1615YpnVL27T7Dy2J5CVggrLUkDPyl9jSC9iQc2Ft2S1+1BhnC4MJnqFQwE+UZooZ8G1aUscKxBlbvCWLBUtRQpVGJNXTx0tDIwU+TlkVhpZjsBO2HpTXUkJ3qnnsPTqXxtc4wwcPkxDeRRVkN72CCY8NozUQu1z6f1k+bfNZkUowSY7DNecX5Bn2pMHfOz1wWmPlBvLDveiEuR56uttcz0QD7wWg4Jm5p7muB6kR0rME75Q0U+8k3DWrnLN91cHzQFSKpqGtPdnJuiT4CNXq/3ZwKr99K73lFN8N2PU3QmaqC9Qc7pXax+jVbY/J2a9o/Rta054ynv+PNln+B1ZprrGheEYrqyBENu9vcTP0s8Jome0RuOmP8++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoML2pIvRZhdiPNMudaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYT15Ne6sHN/9MEJv2rY5+lRv1hEFrNmfO+882D5slF1j9drxVSlp/b0tbURQGDc4zdNgDRwJS7c6q4n47in1Flw0w2udV7mq0s/ghs98Y0b6tmUrujX4vY0rFc7B/SpBvx79/PVZXu+ayMmht6DbkTOpQG6LZw7JrKyYM102Ehd6U3KXvbdqK4v0Hbqwk4/tnDG98Tjji+ahdHV5V5NNpZ/bo8maxF7IfKtRnuOLlx9pu93yt0Hu7VZQFB1v/HDN94dN6tMU7kpTfMYVYJT7Sgj3YOylmiFFcMzPqgCdE0ZmEAlxyOCQFOhk/ZH6RxoW1V1K59bSWU1jLq+kNlzvnl+dd3XoZFvGes8CmN12UcOFDy4FnIbaXFIoith0A1bCAzCYoRFS6lSNq/9diC/LJNe17qbhK6O8J8WkdZdBi7LZYBx3v/2ETFBeJVTK878IFv783P05M0dLkpOX6Fr5xBxYEF6n4f9IhCZmzy2Cc6p7dMSxozpW6tyH4HXPUrxWm7M9/5p+MD07Y6Qq1FssaAq3Qi7MMk+t2MBHgfQTpeK6qXkueUeZ6uPTBrthN4n8CwMY+9eKj/54HSMp00zjqvLcBnJwdF5IosymzjvCk7F517BGFfn39PV7MyiIwXUp85h3IzMKzJmpXm19ERZY23MG2kpFXQesHK9xm9kShxW+Rqr02ToDbvqW+mK/UNkNzHSGvmJFaIYvcOk7qccVm6tCJrUjpHirFZQ1W4p5GzN6EOtFcU6em6wNthUsRTnxh+FGT+Z2WEXn8k7xPLn4++XfVmrKTC0GH0aND52d8FiEb669TuWePregMkvh3P3jnnOmJBVrBhnq45EL6LfKStJYzodBh7ZnyIDTt2ZscMSrzm3cg/pihCq9bzi6I1dHxGZU21Zom72G7YsmMjpXWQCcKbNcZrnA2ULLAymmKqRmFEF8c0CK8YhgyfgwXPxd7FAGIh4Zn8b3JlIwIdy5poLnUgj9qujJ00+Z0mVLn3RrZMwA5J5FWGbEF93eHo6UmTo3FzD9zh1QolTvpokL++rct+2H2ImNMqpwYwHnAwzWZnW70a2JvnkuZm1xxY3eWyAx/hDamhR8mTZPK9RTufYh4B858s6hu+zNa1WvKKK4w0UchnpH1f0JHAj7Qdgdftf03ldBe589dowU0FjRhTc2NY2GDZseuh1jRrFavl3CI6NaQJZRWRR2PuUho0uHHTEWsm+pZIrljv/Wd1FrqB6NBEql+T4QOP9vWW/ML7VGkk7Ly+sGtyVkPR0Gllfr55W1v8hZ0f6nY7e3n/ImQ/AhG9XydI1zr2EhGJ38jfXV+hqoFC10UjWtdZXl+zGIGJhV1MNu4hqSN/HH+Zzq8PKvRMR2UzmqSu+BhV3faXD44IsLiPq0TJ+twQXMpig8rzlAvalwy6BtomHsAXLm1DOiBOviG01DsrAI7z88ZS8Zt9llfKZqqd7X39y3XPqQBQka9xRUrW9CC71a0ZD5a11F6ZdiRsTOEKCXvG86xBpqivxCjOOh4EM1LjCEdRXzqlSI5MW3B06xtcfL+7mjZXCN4ByAdjBlny6gWaL8xGJyIpsVuX5Jrp/hhVZ1DqgFtxK0+Mane/0UsWHqJiM2OWgV2KX6WqKggSm29mrrucqrnJmmsq6bV80j1FosN22YsOJkm14YfcmXZZYbAquJrPKLz6/QU98rcTniltdecY4FHBAHtibu1Jq+82n6GzoaBD9KMytkGvRMYQ0JRU0s1h1oY9M2iR4AhdcPy30oq5yf+9Lk97SBSYb9GnUXONspvApivL9wh0SM4EKzMRc4YLuTMcosYKpven7JHSUy2tYFr2XuUuO3rYFbGWdBZBCe7QvSBWwhEhlIXX7xr2na/RrJcCUfCdzytETJlbn3z1DTJJnaGb/j9r/wwLzjWb6/LtwfNGQMptzPJicH1uH6mr4F9cIFgVfF8jJTT38Ss53NmowMimm7q8zj2fdBkFTZRk5iNCqiCt3e5h9fvc7VhR9dAnA3333+d3vrz+8+e47l3O7wgqzUZ5cS3Ubs2R57wX7vV6wHWEbdYJhEVuJ8DU7cbuUNM8BJva52CQwYeZSUaEZiSlAWq6kBBgX8b0ggfhALKDZGrPhcOIHeweg93lsoPb6xC5R19Us0aUws1wbFbvyHeq1kznE2m9ptHe0rvlI5yQ9tthlOxhsoNL4YpNt3Yuvd7Eg5mzU0VRvNZkj9titBrsRBbbZL+8JC+Wj+wne33Fhkff6/4fhqluV2U3+OwmL5S0fvUdkJ5InYY46jrsLPyknSNrqnGzLLn1imoz2OssO+mQ+BbfbgHP3R6brltVsingYFH3NMeOW1nUzl2svM64u27Vt0InLmoOGLgItDMazCuuc68yqiEfs55jEa0i39tVHF7IoKtH3RA2wE8c1bnoodu/pnfk7DevUDW76OM36objdYJH/uwxHzba4GWzYMZLhwdgNF+4gpytdMsJktCzRqSx4wH6NlRgGHR476loUZSZTCeOb9++u0W/Oj7pNSg0j8mXSVIKb/3yLvlRUjfRurbjIFO136kyb3NByiG7Qh7roLJjW1WjpJOJD2gYqY48RsEDLoxxH+6CaQHDswXDz+AMaMMeqSHBaFmwC9wIuIxYgN0CrPNpU2g7MuN2uOqBzbPpa4UPhzqggywKrWGUlDdxNiQfjix8cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9MCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1UtLlUSPwuqlLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epnGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP68Fw14Kq+G9WmbmhvNHBRp1MvQXrRrwmYbIEhZt+Jk5sYeDBxpYGZeYcSdHRxVrbDzOyjFXnPwBN70oWPRBQUlUsFBZm0HM3BuR1EsDxn17XiezTp94U0AiAlVxkWJcRBwa0QSscG6qimKfQ7xQlQAfXdTQR8PhEtpDjtnBtQZYqT4BxfEemTuAb1s43nCAfQNPYiQBu4HEC40TTL/EZINSgNRrUBKaUZosEgleXsb1sWpEU90CRPLoirRUJdcWNANjEG7HVhlnp6F01V0TELpQITot9KFDXpDP29s3CxGcrBzR+RK+Z6Rkb7qaM3q21ymdJ8tArxRO8hZWmKstZ7Kr3JGMr6shQCjIYog0uYnuDVxkT2uB5As1gxZRJoYavSpGgdZORqhIx3ayhtmiBjqKvKyPRh0qgwdJN9kjCYXmfMWc5ulA0ZwZdYJX7boYa2r+H0XGTsxJSaWxCKICBIfoI+hsQyVGoVKfJh2AiHeXeFCWXGzoYLLiXfnNZRWvqfSCPWRo6nxHMO1N0Qe9QgfuNFraxWLGo+sNAkiPJmYbhDPXq/uihgRLSVVlKZdCw8ShC6yU2iBlUKjofY4UHpOXeZwhFiPDe6mhQQEz4zu4jfaE5E6kn8rdQtau18dTIyAU1S6rOt9/XS1kNXjSEBF1R1YwjMhKVWGmK3lGDYSK4u6u4IcGTt3Khn1+7sten6NKP+HqGzDIwpQiaAX+gfvQxoC3Qe2p+Z0ZQHT7nIVMnId4cRnY3twgWd5vVFCuyPGeCBfGDmbsT9NfuiU+YhQHJEM85rgTM+l1UMMe1buIebuDe69e+Y0/p23E3e2qacPv5xSPGvj2ILGJN02GdV2FZ9JHeGbgVY+6CKaZRjwik7eC69zChWvCRiZfQPTfhOHDon6upQYp+qag2O5p2H5+tfP9e+U5lgLE8blUnsfseqSbvtOtO2YWTwwhiY52/Q4d2/Sq485iz//fPN7SLXV3WQgHWDvMGWA3xknjvycL2cZlhTZFL126wQYNb1ZyS/8Vp8BXNKPgGc6lc+/ogGRHCGmlKYdwZ3j2vSmGhMZlgvO+gw7RbWoDau2UaUimYgLYL6ZKqgjl1Yyqkt0u6wRxsxThdUMTpinKEtWYL4Q5uO68/zPrQkvmE8hvW38Hps5NMeraYVYJ9qWh/TCIOX74Wvsd1TDxuCkqt0bDcXUgihaCQW4HWzCzHBAVCgcqQRmNX9KjyonubFpacIE+aJ4rLBSOYI4vBiOkDWJwWO1hqZEzj6WhXLjc6jF4rnW0te1mtsR94zBnW2VImtwmcEdeYazBLZTvUyErF9giecD8A5C6NxRbeND+IhXCK1flrrqU1xDv37RKC5ehX/4tz9Fpsmn8NoBuw5bUwCOfnRBZlZagKi+Ekbny7sXTm2Tf9s4AZi50DYeaf1Yvvf/iLtX0vW8dRU+ybINqeT7O4EbNDHTd4QxX618Ynp597NAC58K2PXf+TnufFFucO1+88jyOTl/fJtm/7A1PsOufo/W8f39i9U0Wd8wT8pTnTRNESC7KxWqVXz3g/FwQBhZ6hj+9eoSthfnzxDF29v3zzX6/QpythXv6EnqyXGyQoM0uqEFlK7UelSaUoMfCtH17+7//v6bdBilCzTCjj+vQAmXpe4PA4Hp2Y++55zW8cL17VSIWveP64kG7Lpj2YH9kw7uAHPoRvTzHdWiefmTIV5ujt6/dBZP+UgqbzZR3HGf9HCnoepq1F96sRobCR/cITjuAxvsE7zmGBDV3jE4xIB+6+Rq/zXIGf1nF5CJ3m6SVFeWyc86GxkKuLd9fuVRoNjxVYTxj96DiVnKbq3250dW1RGfF+WRoeOQkiCg3t2uM0rDWxzE3XmlZAtNDFec7slzHfBmxbs/zD79yEDGBNQrjg0t/wyy4LDFDZ5lon0esOfdIweu8xvJbKNCJ5IHRzCLDBATCz2S959cS0d/thYlE/JvW23o0RXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxYKeN6YTkWLOFpWiOZptACYVOWQNheVMeWTrgUHR6Ii2HFx0nqDfAY+o+7dLuKI7ABQtpKGZz+yOn2cUn7S50BnOXCp+AtClUWmAzxOwxDxBtTBPcR1S9T8pExAV51ntiUunlvcteLuP8/5qbWfCCTTYN2ZJlaAGfdyU9Bn6VD9jb8EB9iO6rh1gg5fgtzFNrR7VM4EyMWIa10h7v/gzhDkPKhPl9ouQ4IYVJOatqLJvIBNGIm3gMWcCfboaFSgEEmSTyavoItsClWWCsW8WsKI6dkavBZugxMW9iLFT0cHfngBbN1oh41Qsok+KBJyt8pFQCx3RQJ3Kg3krACMQgXSCOcLoF6nWWOXDOd0IvV5AspdC2N74O8ilm1GzplSEVc/IXRPvG+OWBvN2qM4hg6BlPGRGDHbIhM9zhbSEghkrlvyIjfAWVxyLKeL4Bzgo6wSRlotysMGuy3IbSVlZC3YBBmz35YkdqaQEuhCs4vWDOyxij5VhpOJYIegXjWoknry5e/VWLuR8Hp7+TklmljT58XaQ/WgXdLexhfcbi7dF93VlllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxil57xM4HZDjE2Suajbk7OZow3uz/JOkKoyS48VkLcakQ2mOAEDHr3R9ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrk3gg841BENkcXu3FjYtWInYRI9jHsaJ0oiEAHw6jDZY5AMLB+g1/q0229stv7Nsp22zLLSph+OVtsjT6HMvCMHGPWH6QFwXu8oIIqRuotAUEg0a+fWsDMEp7a0Gw35JE9Jz+ca6PGg5/1no5pu3WyPb3YvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eADj0EdyFrH9O4+GWv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t292Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gRREtzxJCOHhv/a6IFDLyUlk3qddkR1Pkju/bUWkR18mcgT8l/nP3//PXry9vL19VN0ybRhYlExvaQ5lMIHceFyIZP3BdoVCYNs2bnDwx8zfHEkY0zJxF7FXfWf9lRDGDQ3Bjzy0YY+3+e6EEj7b+p+W44/wCkUM8Ui1CZ9mymGeazudL2NfMA5q7RbAUmFNCsYx8qJJys27R0i8K6Hy6vgnmuWT9lppJ0p/8kyQu1F7PXF3F7ydHUWr8Wuuw5hDV9p2PL/eicRfDLgBe+4oa2yjDzsypQqZWLAIGQDpJZqgQX7c0dWtUjHCocS+whKt3lqhNxzpoK1pIm6/vxil4PXwrX4cr2LOlnNv1LMzZJgRVGpaC4LJnCw4K4lnq6xYVQYvTc9nuMpd/sWn3SzrvUjLRMxrr0631rBVWJloBnSdqu7xeqEzY68sDlEos5pThU2NM+iJZXt4A8rfH6pV2yCZ9dKrljeNA/z38Nlyb2mOmAM3/zHPmtdnTas4Gw3yfKJdtks6Xv9mc3INoPDQyFzcsVc9HzZV9xHWsA1SmfMoeD31TzpHehMrR+1KqEXgY06HRU0VqyRNlI5iW+hFdRgWO1b+Na5/da34d0XLM85nU7KvYP1DpVzgeNtyb2j5Fw9HmOa7V771VodhsSmjs4+QyXH9sjs+ywVooKoTTnm5YdUyAnsyQMy6FRjW/4qtUHvMFkyMWLS5TiR5PimT+tPAjL9S0Wt+LD6kWtyps/R2xyX6DP8w+lHuRSu7vSfw8cTLfGKWs2JU6zQl4qqDYIehLqUQtNaowoXp9r9ZvCbaeSl74FHLGTF6i6Qwm3f9eUbx7Pe0gSobhnog2+OeiimMOUprcOsz+N1a+lOEyNrG/qHl2mkKiGCdqx+1rw8LvLs2kiN1Nh5iJm3MNMfBEZrJnK51kiXlLA5I/aTZ6E6QZ8nO7wgdnsO323ODXoCHWGpINtnCEKXT1vUQpWAd/wtXWCyQZ90t/FtE4Et+oW00bNr7QoTGOwjr33b1AJUoFYNmMy+iAOKN30AAtX/nUpTKOcZkq+77fQK9Vh3XqdeB3YMOwwymv/NEZudJq93bKs+w9e73mtZ9wa2Pt4FdLibaRx2TcCgezbbhEx3DIMTCjek2F/8DGUDMUcCjla4wZZzOmfC++pBOEFXvwKXI00HAbujCsUS4bZ1wPTUv9iCsfHZpt6776U00puy8WEbg8mymLgF/nZVIDgaWEft40gy5GXGRLwJYlHvht0yFBWmfTwDQqpdtgPH4tpob8v7A1M7B1inffv2YF1iVfOU/fOz7VbWSzZopY7s7bC2rEt+P2h7JvrMEtfWQqpNugP/qy6x+NvejjE1It0u6rV6HnqaLFn++hyg79nbyVSiwa7qfuu7dzXKBRkVRsnyGNGRy2o2cC4cxON+TWtt0z3lCICjq+6Y9h5eyKLEYtPcR7h2ME7f2SsrquwzlDExl2GlAOvb1DVCe+RHz4qsMVvTtF3R519S5Qj8UnG+Qf9ZYc7mjOboEuqenXMwiMqazjIi5S07UdD9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75c/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKhvdahtbR+ZKVx1jXLZxc55Fkupam8/hJg/vB058lavnMjsVNOiTDuHaAcp7Mp7Pfc1mkrKRJpIFym7jj0PVGITdk0SkWEdM9rfAqx8OX1kyJXiEY+5BTXiqTTGaFapWN6QFkxNVYYX8WzKLejoz1MXdNT0xy5oz/UJBAu9M1SAahXfOLHwo3Fzo+gtFe2lysTWqNwSU9QSdmTuR1gW1Kvn/r8vPArP/X/4vKaQ2x9zqsLZeX47J4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Ny5ub9nuI2QQq/af/kGHCVrjAz9ZuaRqGn+E1dl9xtOTCxj9+BRdwPph1KgyEzVLGaHzBVV++CftZGHuaM5Lk4aOW4RsHbhd9Fvd6hS986TZn8d6Je/fGiV82uiG/Rn21rDbRDLl6h9vkKALaZg7wHKJ9cgEKE2mbivUOkq3+PhwQXvUySZADRJcejxWN06v62/CCSmaLaaoqOj2N2qmHn4cHbRspQnTuoqudAJkSJZK5617WAwFMKRKJfWBDg6lLT3f2MXRDQSnd0mnSTIkms7gPor85AZSO3c/Ri3peRyS95eeO3AcF6Fa82yV8kXvh1S9IzuITJ5Z1sNV9DaNOhVgdku9RZ2oucE323El7QcJZOtPSEO8Tip0dfP6H++u0bV9p9BvYmT6yhbbRJXUx2D7cS3D2IIYIktKbvVRTuTDhHDaHmShoXNNv86mRRikgfoRhFspuEPLpYoNmkKeQMl1eDRdQUaNBsDZYFNNNuGzjeUKc5Y7Rgwg0ReEk3W13iUIgWK3dKP7YjsS59cJpJFhL40pdcZgBm0S0HCUKQhC8CO4TWwh6soXqZjZ7LlRRBZF0j5xB+Lt8PAOoXAJ/popyvuWZmwXy5pjkWl9qoG3dmUnw3/3u61rtILYulLjrJRsirTqEMIOAwQYAFJhawDISpZYiEHjjNTtpvyqgMhIzHaits3Nw+JnHv7+9vV7/+497y3fPChGqr7vP3rPNqZvs5XkVSoCvK7nOAs/56aZjF2P860EMxo9cUjop9CtAwp764m6PfAIkA7uhleJpNlbj+snwYxPFzjvFh2sqIJMgXnFEZGC0NJYQ/nGneFIe4X1OqX0dYS3Bns9QtsiWkplkLT0/fXfX4dScINkj813Ui2mT7DsFxh0XKwz7JqdBBvF/P3Nb9dX1+gdviuYyJux3uFjtXubPA2zM0RxZFt+G4Pd7dpWoz6FSxajp2e7KsdsPl3B5qmL8OstJ1c7Os4yL5WvLn2XXo/FTgz5dIdy4l4B9Y6L//Z1w01hjsiHmmTs2w3+EmtCnyi70Y+rBiu+CeoWrrj3GdJVIEUda/RXbZQUi7/NOCa3nGlD878+93971nzKxJyS8Edzpuga86Aig2e89RuERY60RCNsqeiCaaM21rKfUliU2Cx9s/4GB9THYYAkOKWmQtMVQrt6LSJVqwt5o082mFNhWjkpjbqt7v6lj0qfva1ZhjV9hWbUtA3+nM5xxU0GzP8KzTHv1ByP77qzq24S/zuZV5zCvS+x0taw/6MSrKRKqzukN5rLRful3nXxFMV6YOkfTO2/DRi3By+4ptNGznAgRFyvvXuy5HBZr+D0Qe5aPjDDz68dbDtxGAIdoGG7aqtmRqVAW309iAxtROLSoo3KfoIQKYQbH3tmcN+efwAnbuGiNtwwS7hK7rPAo/4ADOr68A7U4PoCm7MEt0Jgc6+b0UIjLke0ENnPEBaLVLdEuFy5+92UPkLxaXO/G2PxSXVrBMzWucfNUeTM4qMqTs8CyRYPuT6KADoWNOqA3o9J5IvcxmT/bc61SUWTXJv70KSDSVyadDDZT5N6rOfZwJh9AA7bae/5ntUlZ2QTmQIO6AF79yL1TymiM6aTqRby/fBIgsLh+kYCUrRF6IH06GOUDpl92gfEcs5YfvZjP3viQeqHa+PHctQCuweDFMvvuZuu2OdsrmRxRvjA1/Sgx9UDdznxPeBBbGRlZrIS+Vm4BmlKVGAIaRqyuPmm9ycK/O5kaHQ4JdgEMdbx9IAHsWFiCkY5BJMWo8SmSuuE7kOTdHxyCBaU41LT/MywkQcmH/oZ92DgQaIOyODi4z1IHyBLQ0DDpgHVhuZnSZBwsA/HZSQT6AEYDCAG11WSjzDfcR6tDrgdgumMCSILJhZn0IxxjgdlSQ9RNmEJVC+BhkuEr0Kwr+aDMBmC3HcPzkaq/eJciOFYwL346GqWGCddzY7AS/XTFx4kNdv4dCCHb6viNcKR8WhBPgCPDt8sscLEUMW0YSTine6wz8giI4oyqRQ9W9PZWank3eas1pwjuz5gGbSmMwTLNMr0fpO/pFSdpdDnLeDDlXrAIr5H0yFxD5dmG5G4frs2Kvt9doBHKq8moHJvt+YApQT0uZ9js05fj8e0A4jhW63I2UrNzxaqT/iHOQ0HQIOr59rEXz0ENKyyk6Icl15HnbwFeYikCjb6epg7ENJOoc01tPXEfnw6KqjudNwdeXpmKoXT1sI93GNLyrNQfPxBisDh6/vcyzPX2zGyj65O7HTA7+mhazTehI7DZo3DPNpzFt2t7qEesL6SlXHGhjZYxLQ1PGQ0gBzGI35s4cCYQlVyJm7PzF1sf4MDjMwd6gLehYVKhYU6CAs5+yMe/SvFu52fxiyGuEv2OnztunXxFp4zbgLj5IKLx7cZ/eqHmYp1r9Ooy9P998zQopQKq81ZfAx2wA7iEnf1/etBrfpZX3148MJhsDswIDKPvnwHZlgjGjbefZgmRPa7DeugbtQ3tQtx57rxH3QXoz7gnkXVOvfrem6y/llo/MYDni0HFXWhhrkr0F7qQamHsHAXanBhf+8iq/ke6gGEd92izjRdUdWfHvywM3fdwAaAw+Rvedri8nzbvbaf7aHn/G1sFADoAaszkdO7eOt2we3ivqiMhxd7n5FSkmXUkJgFeEBAzAdHuFyMuSMfECW1JuVeZyS9K6Uyp1o9z6U+S3fXLPh7XrhW7uCSmTM1PPoHUKaVPLhkBnWAh4UhK+iZJjLq28cKirowxyhh6J1JQwaYB3MYDWo8wPGTEBvXDeQe5xJZN4BzOUAzgLVLqtig5+tDF+8B3X8a8ZiycwiHYRBXVNQIHOBbqjilM6xTOHYA7kEPcxp/3318fCuqckbqpPh4OHi4/dlSO3FwLQHiXYcahx7cIA5LY8qzQDf/h0RmjClRB2RwZXCxJvG70AO9LhoXJadneolf/PwyHgYOLOqBDSuMmK+xomeDAR0P0xodVNSBGpZGkJt3NohKHhesdNDaPws/AVRgMaq0HelrsiD3Kmz2ndAGD1p2H6soD+GFl+2XmD7IDtzD06GOWQ9h5i680TVjpkiYvRoMyI4l1sszLuVtFS+6CtLDAkY9wONoRH3DDowQOW/bWU7NcLTi8Ys7qKgHNXzkKfKsDk+tmlOaRyY8pfkBhJeEVCqy7gwwD9KdY5aD+UittXMb9xZePHNT24J9ZFrR9m0N8r/8/wEAAP//lygjCA==" + return "eJzsvW2TGzeSIPx9fwUefzhJDrlly7b2Rjc7F9ru9rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsEqhu7d18mLCaZCKRSCTyPb9Dt3TzGv1RCVZS9S8IGWY4fY3+w/0B/cen97/d/AtCOdVEsdIwKV6jv/0LQqj+DZozynN99i/I/9dr+NT+7zskcEFfI0HNWqrbMyYMVXNM6Jn9e/M1hOSKqrVihr5GRlXtT8ympK8tjmup8tbfczrHFTcZLPkazTHXtPPxAN36f+9xQZGcI7OkNWKoQQytl1RR+MwoPJ8zgpZYoxmlAsmZpmpF87PB/pTG99jMQsmqPHwrfaJulwWsBead7Y2vPrZ+aIntIoVedP6+e4XxAxucyscl0/Z7iGlUaZojIxHBpak8/RVeo4JqjRf239ggIguq7aal/bwHGqG3coEuKJE5sHFgIw4W6yN17HZquHRFhcns1iID9ggnpr4nuQaaEykMFUbb+8GENliYGg0dxNGw4hgEc2z6HwyxYw4nuwTCBq2XjCwRRppqzaRAS2Y0wug9Nb8zI6jW9emfDVij2axeyornSNAVVWhGG74rsdIUvaMGW9QwmitZtJZ6+lYu9ItrTG6p0c8G4C+YosTwzXNkPN4YfaBOWDgOFy00z4KE5HRF+RGU5FL072eHkhe0VJRg4zHJ6ZwJmiMpOKBl8IxTVOAyjFWhF1m0C7PjjN/5e3518QNaYV75G89yKgybM8+d9A4Tg7hcuPNSg4OA3TEL3nMLfM8eR4mVYaTiWMHv/cGejXLGAPRRnBLijAHkcU4ZPZLVtGfy8v+dye4zsaumOZDTrq+c/ZHBRvrH8miwW+FjhF5y1BTVslIk0dt7OtlS3f/TMNMGG1pQYR4jcrjKmckIx707/EjQo8KozWNEbGl1qseIGBPHIZZWY6olx+PltJziY6RHWrLNKc1j2lAjek3Izmx9sXYLWGwGeshASTjNiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2XApiHwds5GO3bEfEzYqlFYdt6p7bZdicEdy+z2/lAl2uqDDoBoQzqkROlTVBFPWCarD1ObujOdLUWCCdH3fX0OMGS30IA9gnGyzNIQxA3+tQhp7A+P6l4xhzsK970OR+NFhKnUhfbfPlr1KbtojkfY7UVORMLOoPdYhtWj6kr4e+7BgGG/xolLBX16ufEM5zZWXl2HXvE3eweyO/VuKuXqUm76v/e8lrqZVeNvTlgnOktb1lOcJowVZUNE6yr1cRsCQ6zn+R1gLJH6Py93VENEYdGrLcZIp+SXDW7eAhHDDse7YBKl+6pdE1XKTn3pttMPq4KSkieChBZhRRZpZUoU9XwvzwCkmFfuESmx9fohnWwEV1gGzOFpUC1W/Pvo9Rd7/ifUMYNJ3xGcG/YH+9kKncbLus43rlr97BINUaqzyZUteSaK1ttyl5df25o+9hpCjH/SNFSG+0oYV/RD3aFtqSOk7Vjnj231KxBROY17/pait76JBK/9qRGHF1/flVgAQe/QElTidBg9GQyjFeny2jDhXHY1+fJcU5VZPErn+FpdDVxSlRUodvO1gKYI6LlT5qJxsnWXI/G64VrautogUXxZou55JzSoxUX6MAttR7gJwby3NMI+JIR3OLaUdRfSv7agvaQehHaPEVZPZYVNVCakh2K6RAs83g0BBS9EtFtbEANStKvvHnZL9sBT2imCyRZjlFT79HZqkq9PLnn5+hNdZIUyqaVXZQ4lEorwdQQpdSaJqOFOSr4QoiK2Ean0JVzJzQs1dZByGgp3gmV7RFDCaCmZW1eNNGUVyM3h/y1bDNA5OK5qzq62kxCPVNSHNsHAtsjpj5Z/Xy+x/+op1If1GCAK2R/udgN/+09uBbvKEKvUSXguBSV9xFVqxJeS+5HoJ+YvAjkFsZWuXHl+jf7Hafox9/RP+GiFRWX4Zd+EWfo//Bzf+yX2QadYnyTfAIhczpo7V1xZpmBHM+w+Q2rQbskBPSwLXBxtkVlohU5KVkwoBpYmg4wRmYI6NKyUT5aVt9UJeUMMwBY8BUG6msZi02TuuwH6wwZ7ljjBBSCM1lJXL7wnAKyDOx8MrR3uTF7o0YQI4RC/TXYUfYaOQUNlzi/LG8cx4dpNmfFBXUKEYCVoc3hdtfBlvYPfe1ELbPPjZbjVbO62M7Q7/KtT2aoc3JBJLKGmNGoltKyz1EexQv3ldCNCUJ1TpbsTzLU0VdL2vJs6CCKmzgkueWgi27cMWUqTC3RnvH9y4CLg5WMGt2Q6wciOF24a/61QVSVlprcKgA0bBaUNN8bS8ltEqU9PTglHCZcLspoZKEgoaC/+qi9r1+oIU0FN14fieKwkM724wJSvu/OhDzFQRe/EqZLjlLmdnwqM15zQZq/6PQzazMTcjvcOvsG+B5vea62mrxT8h/jwijEy9zxh8gRm9XtcbR9fmba6/7EiwseVhRStXXeBE8kV9dGkT1ONwfn9xTBYY4mO4hV2rXlK+2P9ka7E7PAcv8DL38+RVaA90LigXCnId9BeDUBzVp6z9Ca6qoA4sN4hRrg6TolYt0ifjgauLXTcTAXU0RtvW0+12qHAgHWU2ULIXkcrHpB+LmTA20WIR+RmSJFSbGEdFe6g3gD05zgSrhc3p4x2c+WlEbu6DbBepTBhF2xC7BoiiskilFHUZQeD0q00Cy9tRKTEBjdTEK4X0OkpBK1RC1wSLHKkdCqgJz9mcov1eqIkif3Gc5HE0iWc0GT9K9iLTFukHmBWdzCjsOGPiaEinyEQV7e9yZNin9LDs2xASRRcmpCTLAqBMVgwJvFOuJwVa9mTIPxMg3du0gO4+xcpczR9mvkMIsIx3Ttj41Vs7LNsspfyDCX4o8BdktyD+lSN1tYYdYtKvXKqZLr/3Yp/BARCW70W+QoXfGXz60okq3yinyXXlggfM9ldk2FMfa5rZMj0iV0zzdO+iTbPwzpZsVax2jzrRpvtiOrw9fKyWLM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn7Z9rIpsMCLUGkuQhzCO7W96JByuGrEzBON5Fq4yJjBRdn3DHqM7WoWxeHtMxqRJbPWjcypPkPvKm3ATGoDtbcSm5G8XGzokYe0U4DN5xbvFZ1CE4JDrhd0tFN0ThUVxDEEtqp1zlYst5oN8ENYkN3Uguxjj3jhTd6VTE22w+15uljQneVEZvjGbVZboWf1NYsUMOhu32jEQx914Ty30riRZ2eDJZt0MlnFlkDFQJE7FWJD/9hXBTTILxWtJmMly92Oi7bycY01AiTyEb4B5H6ITdSISkGHoAlk2qIwCV7fRZEC1zJLgGqZpdCey5iiqAv0ZXSoCXSl1ivyMCZkz3wMvjGD5/Jeb86xYnOfXDsmWLB9IHrdEGI7gjAZKPExFGtd8dRhpxErSlaGyIK+cDg0xgtkZcv5gEOw8CToGJAjDEJXVDGTsnRkx8bq1X0RYCuys8vlk7Z4cdA70L3STaWLhQZxp5ISNmdbwyes3bpgzlhPFa8rp89mChxA42Jk+bZgonZR5T7IEsTbm81THcLnrpXetgSlQr/d+NRYpuuEgL5fDdavT2isSlKXUrOIguMg3gJzWuSuwxSk8td3d7QLT8VNlq510T1FkagKqhi5rywK7m2CKrYdG2tXsjU3w4kld78HW1tRkUvlE2Z37kzO/niA7jV1aFfO/qAkbEdbxNLXgg/IbSXobsScpE/Zq+6b4YX0Vf9ezHgv1xI3ucVCGoTR0ne8CCfQcrnI6kSVBxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0A11h1Jpqs7wgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8RiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOI7RUsKlsyu7AcwG6Z8ckillL0wjb0CJwl63AvmImx1+GewszUzS68sO1mPLmDBGVSbCCTFdwtp/3vHSwBKShZQHBPuG7eCgS8AAYuknCMrHQyj+gzdbGVKf7BBu7IqDcbnrpyv0taIcSWjLtkm9+LXEx4jwittaob0/xgcE/yEaXuSviba+zes4gufjqtAk2s/7oaFLXrXlimdUvZkn+FlsbwALBDWWhIG/lJ7GkF7Eg7sLbulrxFG5XKjGcEc5UzfPkelgpkozxE15ElYUcYKH1N7ec+H3tXZKFxQQ5VGJdbQxUtDIwfXi4DIorBSTHaC9sPSGmrITnXPvQcPpfG1zjDBw+TEN5FFWQ3vYIJjw2jNRC7XPp+WSEFoaZ43mRSjxBhsc15xvkFfKsyd8zOXBWbCSw3RWojLkaer7fWMpS7t2LpVCd8ycUtzXwtUJ6JjDd4pb6DYT75pUDtj+a6D44OuEElFXXuyk3NL9BGo0YORVg+C12+l97yim2G7niboTFXB+oOdUrtY/ZqAreP/3Zr2j5E17Tnj6e94s+VfYLXmGiuaV4SiOnJEw+42TRXDPAu8pskekRtYslab++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoMz2tIvRZhdiPNMmdaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYTe26nqws790Qcn/Kphn6dH/WIRWcyYaPpmtx8sXzaq7vF6rZiq9NSevrY2AgiMe/ymCZAGrsS5W931ZBz3lDoLLrlrvCGf8zJfXaD3TtI89Y0bkJu254t+LW7Pwnq1c0A/hC+/5X6+ugCS+pK3RkwMvQfdiJxLA3RbOHNMZGXBmumwkbrSm5S97LtRXV+g7dSFnX5s4YzvCbnGkv68WRhdXezVZGP55/ZoshaxlyLfarRn6NzVZ/p+p9x9sFubBQRV9xs/fOPdcbPKNJWb0jSPUSU41Y4y0j0oa4lWWDE844MqQNeUgQlUcjwiCDQVOml/lM6BtlVVt/KZlVRWw6jrC5k955sXV9d9HRr5lrHOozBWl33kQMGDayG3kRaHJLoSBt2whcAgLEZYtJQqZfPaJwP5ZZn0utbdJHR1hP+0iLTuMnBZLgOM8/63j4gJwqucWnHmB9nan5+hp5d3uCg5fY2unUPEgQXpfRb2i0BkbvLYJjintk9LGDOmb63KfQRe9yjFa7kx3/un4QPTtztCrkaxxYKqdCPswiT73I4FeBxAO10qqpeS55Z7nK0+Mmm0E3qfwLMwjL17qfz0g9MxnjXNOK4uwmUkB0fniSzKbOK8KzgVn3sFY1ydf09Xs+8sOlJAfeocxs3IvCJjVppXSx8oa6yNeSMtpYLOA1au1/iNTInDKl9j9TAZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNVuKeRszehDrRXFOnpusDbYVLEU58YfhRl/MLPDLj6Td4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTXwzn7h3znDEhq1gxzlYdiV5Ev1NWksZ0Ogw8sj9FBpy6M2OHJd5wbuUe0hUhVOt5xdGlXR8RmVNtWaJu9hu2LJjI6V1kAnCmzXGa54myBRYGU0zVSMyogvhmgRXjkMET8OC5+LtYIAxE/M7+NrgzkYAP5cw1F3ogjdivjp42+ZwlVbr0RbdOwgxI5lWEbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGRlWr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTmdYx8C8p0v6xi+z9a0WvGKKo43UMhlpH9c0dPAjbQfgNXtf03ndRW489Vrw0wFjRlRcGNb22DYsOnU6xo1itXy7xAcG9MEsorIorD3KQ0bnTvoiLWSfUslVyx3/rO6i1xB9WgiVC7J8YHG+3vLfmF8qzWSdl5eWDW4KyHp6WFkfb16Wln/h5wd6Xc6env/IWc+ABO+XSVL1zj3AhKK3cnfXF+hq4FC1UYjWddaX12yG4OIhV1NNewiqiF9H3+Yz60OK/dORGQzmaeu+BpU3PWVDo8LsriMqEfL+N0SXMhggsrzlgvYlw67BNomHsIWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n39yXXPqQNRkKxxR0nV9iK41K8ZDZW31l2YdiVuTOAICXrF865DpKmuxCvMOB4GMlDjCkdQXzmnSo1MWnB36Bhff7y4mzdWCt8AygVgB1vy6QaaLc5GJCIrslmV55vo/hlWZFHrgFpwK02Pa3S+00sVH6JiMmKXg16JXaarKQoSmG5nr7qeq7jKmWkq67Z90TxGocF224oNJ0q24YXdm3RZYrEpuJrMKj//fIme+lqJzxW3uvKMcSjggDywy7tSavvNZ+i7oaNB9KMwt0KuRccQ0pRU0Mxi1YU+MmmT4AlccP200PO6yv29L016SxeYbNCnUXONs5nCD1GU7xfukJgJVGAm5goXdGc6RokVTO1N3yeho1xew7LovcxdcvS2LWAr6yyAFNqjfUGqgCVEKgup2zfuPV2jXysBpuQ7mVOOnjKxOvv2OWKSPEcz+3/U/h8WmG8002ffhuOLhpTZnOPB5PzYOlRXwz+/RrAo+LpATm7q4VdyvrNRg5FJMXV/nXk86zYImirLyEGEVkVcudvD7PO737Gi6KNLAP7228/vfn/z4fLbb13O7QorzEZ5ci3VbcyS5b0X7Pd6wXaEbdQJhkVsJcLX7MTtUtI8B5jY52KTwISZS0WFZiSmAGm5khJgXMT3ggTiA7GAZmvMhsOJT/YOQO/z2EDt9Yldoq6rWaJLYWa5Nip25TvUaydziLXf0mjvaF3zkc5Jemyxy3Yw2ECl8cUm27oXX+9iQczZqKOp3moyR+yxWw12Iwpss1/eExbKR/cTvL/jwiLv9f8Pw1W3KrOb/PcgLJa3fPQekZ1IPghz1HHcXfhJOUHSVudkW3bpU9NktNdZdtAn8xm43Qacuz8yXbesZlPEw6Doa44Zt7Sum7lce5lxddGubYNOXNYcNHQRaGEwnlVY51xnVkU8Yj/HJF5DurWvPjqXRVGJvidqgJ04rnHTqdi9p3fm7zSsUze46eM061Nxu8Ei/3cZjpptcTPYsGMkw8nYDRfuIKcrXTLCZLQs0akseMB+jZUYBh0eO+paFGUmUwnjm/fvrtFvzo+6TUoNI/Jl0lSCm/98i75UVI30bq24yBTtd+pMm9zQcohu0Ie66CyY1tVo6STiQ9oGKmOPEbBAy6McR/ugmkBw7GS4efwBDZhjVSQ4LQs2gXsBlxELkBugVR5tKm0HZtxuVx3QOTZ9rfBUuDMqyLLAKlZZSQN3U+LB+OKTo0+YDNKposDMltF5gdB53AKqBvB8Aa2WEoCVsz8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN5bgGeLcvWTuDPL6O87ERkxKst11L7rLegW8nGRpwMArziOLjFERsWCiYhFkUPQKXKjRTbP9JoZEl1+iGzO5VrjIn7uShu2MKt00BNEXYjImEgpTpgoqSpmm2gJ7wPYJblNA3yFeQpeYWVWKmlkFj8kBdBXP2XgcYwPmye7m1wusjwFsS3g+PlvRGQFvsuMieU26AK2HM1pgkehYCIR0kykQ7rkOuMznsUOi3Zgf58QePTO4C3YsXshtmHHruptw/45IexXCWH/a0LY/zMh7L+kgW1kyfGMphApDfT45pnIioqD8j3bJHgna+DlbQK9pKg4WxRlGu3bapmYL2InIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1RldlglmkRDRl1UlMVSONNT3oXQIRYqSxhlkq2GDWJAFeCXYnsJCakgRMuHplqZLoUVi9kqVZUpwncKvJoswIT+DDtoATBEkArpptTHy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wggqyiZh11YYtMN/8SfNZCrxXGbQBTQLZtYNJg7VLrE0CfbYoV6/S+KB1NmPmL0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0WYGqWzs8f3znigIPalwS46yYfr4NcC/accZrChtHZPMUhsnnM4uwu4BS6gc5YCUmKWRJRx8rVT7k25aCZfyTYWpEksDmb0xRmjAZHc0FzFq1gtAubiTRcUsi84lQTmYLaHjhbJJBNstRrbKLO/G9BD2WQRwGs6IJpo3B8T8gWdgKNT9EyFalVMlpr6ESuEslXl5nvWDwBdKMoLhIokq4UKBXa6ZTr9VIynbkJs/Ghb7DCSRg8HymEjQF55ebbx4bLtMEi+pzjXJtZpWINC6yhUjcrKAXUKjqu8fXouiY5NliY3DCPP+z62E4Du2AucJ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SkHm8jZ6e6ZSx29ZykpdKhYZKMeGmSp69hlngsZrsbOFqqNO1GngQvFtfLcWl67raTbnMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpKwrlgkucClVLEFWDGrFimuWcE0SSEWCp2EYVPMgRDUQHOl6HCjy3DXADp2xp+DGjsdT6zXsS2QJBVl0g2Ajm6JyviakVRskQXmcZ0Mdy2oiv9mlZkbyhsdbNTJ1FuwbsRrEiZLULjpZ+LEFgYebGxpUGbOkRQdXay1/TAjy1h1/gPQ9K5k0QMBJVXFQmFhBj13Y0BeJwEc/+l1ncg+fepNAY0AWMlFhnUZcWBAG7TCsaEqinkK/U5RAnRwXUcTAY9PZAs5bgvXFmSp8gQYx3dk6gS+Ye18wwnyATSNnQjgBh4nME40/RKfAUINWqNBTWBKabZIIHh1GdvLphVJcQ8UyaMr0lqRUFfcCIBNvBFbbZiVjt5Vc0VE7EKJ4LTYU4G6Jp2xt28WJj5bOaDxI3rNTM/YcDdl9G6tVT5LkodeKZ7gLaw0VVnOYle9JxlbUUeGUpDBEG1wEdsbvMqY0AbPE2gGK6ZMCjV8VYoErZuMVJWI6WYNtUULdBR9UxmJPlQCDZZuskcSDsv7jDnL0bmiOTPoHKvcdzPU0P49jI6bnJWQSmMTQgEMDNFH0N+ASI5CpTpNPgQT6Sh3WZRcbuhgsOBe+s1lFa2p94E8ZmnofEYw70zRBb1DBe43WtjGYsWi6g8DSY4kZxqGM9Sr+6OHBkpIV2UplUHDxqMIrZfYIGZQqeh8jBVOSMu9zxCKEOG91dGggJjwnd1H+kJzJlJP5G+haldr46mRkQtqllSdbb+vl7IavGgICbqiqhlHZCQqsdIUvaMGw0Rwd1dxQ4Knb+VCv7h2Za/P0IUf8fUcmWVgShE0A/5A/ehjQFug99T8zoygOnzOQ6ZOQrw5jOxubhEs7jarKVZkecYEC+IHM3cn6K/dE58wCwOSIV5wXAmY9buoYI5r3cQ93MC91699x57St+Nu9tQ04fbzi0eMfXsQWcSapsM6r8Ky6CO9M3ArxtwFU0yjHhFI28F172FCteAjEy+he27CceDQP1dTgxT9UlFtdjTtPj5b+f698p3KAGN53KpOYvc9Uk3eadedsgsnhxHExjp/hw7t+nVw5zFn/++fb2gXu7qohQKsHeYNsBriJfHek4Xt4zLDmiKXrt1ggwa3qjkl/4uHwVc0o+AbzKVy7euDZEQIa6QphXFnePe8KoWFxmSC8b6DDtNuaQFq75ZpSKVgAtoupEuqCubUjamQ3i7pBnOwFeN0QRGnK8oR1pothDu47bz+MOtDS+YHlN+w/g5Onz3IpGeLWSXYl4r2xyTi8OVr4Xtcx8TjpqDUGg3L3YUkUggKuRVozcxyTFAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDCCObIYjJg+gMXDYgdLjYxpfDjalcuNDqPXSmdby15Wa+wHHnOGdbaUyW0CZ8Q15hrMUtkONbJSsT2CJ9wPALlLY7GFN80PYiGcYnX2hmtpDfHOfbuAYDn61f/iDL0Rm+ZfA+gGbHktDML5GZFFWRmqwmI4iRvfbiydefZN/yxgxmLnQJj5Z/Xy+x/+Ym3fi9Zx1BT7Joi259MsbsTsUMcN3lCF/rXxyekXHg1ALnzrY9f/pOd5scW5w/U7z+PI5OV9su1Jf2CKXecMvf/t46XdO1XUOU/AX5ozTRQtsSAbq1V69Yz3c0EQUOg5+vjuNboS5seXz9HV+4vL/3qNPl0J8+on9HS93CBBmVlShchSaj8qTSpFiYFv/fDqf/9/z54EKULNMqGM69MDZOpZgcPjeHRi7rvnNb9xvHhVIxW+4vnjQrotm/ZgfmTDuIMf+BC+PcV0a518ZspUmKO3b94Hkf1TCprOl3UcZ/wfKehZmLYW3a9GhMJG9gtPOILH+AbvOIcFNnSNH2BEOnD3NXqT5wr8tI7LQ+g0Ty8pymPjnKfGQq7O3127V2k0PFZgPWH0o+NUcpqqf7vR1bVFZcT7ZWl45CSIKDS0a4/TsNbEMjdda1oB0UIX5zmzX8Z8G7BtzfIPv3MTMoA1CeGCS3/DL7osMEBlm2udRK879EnD6L3H8Foq04jkgdDNIcAGB8DMZr/k1RPT3u2HiUX9mNTbejdGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFgt61phORIo5W1SK5mi2AZhU5JA1FJYz5ZGtBwZFoyPacnDReYJ+Bzyi7t8u4YruAFC0kIZmPrM7fp5RfNLmQmc4c6n4CUCXRqUBPk/AEvME1cI8xXVI1f+kTEBUnGe1Jy6dWt634O0+zvqrtZ0JD6DBXpolVYIa9HFT0ufoU/2MvQUH2I/ounaADV6C38Y0tXpUzwTKxIhpXCPt/eLPEeY8qEyU2y9CghtWkJi3osq+gUwYibSBx5wJ9OlqVKAQSJBNJq+ii2wLVJYJxr5ZwIrq2Bm9FmyCEhf3IsZORQd/ewJs3WiFjFOxiD4pEnC2ykdCLXREA3UqD+atAIxABNIJ5gijX6RaY5UP53Qj9GYByV4KYXvj7yCXbkbNmlIRVj0jd028b4xbGszboTqHDIKW8ZAZMdghEz7PFdISCmasWPIjNsJbXHEspojjH+CgrBNEWi7KwQa7LsttJGVlLdgFGLDdlyd2pJIS6EKwitcP7rCIPVaGkYpjhaBfNKqReHp59/qtXMj5PDz9nZLMLGny4+0g+9Eu6G5jC+9Li7dF901lllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxit54xM4GZDjE2Suajbk7OZow3uz/QdIVRklw47MW4lIhtMcAIWLWu59ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrkLgWecSgim6Pz3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekR/OtFHjwc96T8e03XqwPb3cvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eCJx6AOZK1jenc/GGv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t293Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gGiJLjjSUYODf+10QOHXkpKJvU67YjqfJDc+2stIjv4MpEn5L/Ofv7+e/T07cWb62fogmnDxKJieklzKIUP4sLlQibvC7QrEgbZsnOHhz9m+OJIxpiSib2Ku+o/7amGMGhuDHjkow19vs91IZD239T9thx/gFMoZopFqE36NlMM81jd6Xob+YBzVmm3ApIKaVYwjpUTT1Zs2jtE4F0Pl1fBPdcsn7LTSDtT/pNlhNqL2OuLub3k6eos3ohddx3CGr7SsOX/9U4i+GTAC95xQ1tlGXnYlSlVysSAQcgGSC3VAgv2546sapGOFQ4l9hGUbvPUCLnnTAVrSRN1/fnFLgevhWvx5XoXdbKaf6WYmyXBiqJS0VwWTOBgwV1LPF1jw6gwem96PMdT7vYtftDNutaPtEzEuPbqPLGCq8TKQDOk7VZ3i9UJmx15YXOIRJ3TnCpsaJ5FSyrbwR9W+PxSr9gEz66VXLG8aR7mv4fLkntNdcAYvvmPfda6Om1YwdlukuUT7bJZ0vf6M5uRbQaHh0Lm5Iq56Pmyr7iPtIBrlM6YQ8Hvq3nSO9CZWj9qVUIvAht1OiporFgjbaRyEt9CK6jBsNoT+NaZ/daT8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efo5Jje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU502fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/b14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJ81CdoM+THV4Quz2H7zbnBj2FjrBUkO0zBKHLZy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Stj3cBHe5mGoddEzDons02IdMdw+CEwg0p9hc/Q9lAzJGAoxVusOWczpnwvnoQTtDVr8DlSNNBwO6oQrFEuG0dMD31L7ZgbHy2qffueymN9KZsfNjGYLIsJm6Bv10VCI4G1lH7OJIMeZkxEW+CWNS7YbcMRYVpH8+AkGqX7cCxuDba2/L+wNTOAdZp3749WJdY1Txl//x8u5X1kg1aqSN7O6wt65LfD9qeiT6zxLW1kGqT7sD/qkss/ra3Y0yNSLeLeq2eh54mS5a/vgDoe/b2YCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew/PZVFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0AXXPzjkYRGVNZxmR8pY9UND9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75M/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKgnOtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tUL/9/nHoUX/j98XlPI7Y85VeHsPL+dB4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Sxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+npOYx+fIbOYf0walSZiZqljND5nCo//JN2sjB3NOelSUPHLUK2Dtwu+kS3OkXvPGn257Feyfu3RgmfNrphf4a9New2kUy5+sclEnQhDXMHWC6xHpkApcnUbYVaR+kWHx8uaI862QSoQYJLj8fqxul1/U04IUWzxRQVFd3+Rs3Uw4+jg5atNGFaV9GVToAMyVLpvHWnxVAAQ6pUUh/o4FDa0vPSLo5uIDi9SzpNkiHRdAb3UeSnN5DaufsxaknP45C8v/TcgeO4CNWaZ6uUL3o/pOod2UFk8syyHq6it2nUqQCzW+ot6kTNDb7ZjitpP0ggW39CGuJ1UqGrmzf/eHeNru07hX4TI9NXttgmqqQ+BtuPaxnGFsQQWVJyq49yIh8mhNP2IAsNnWv6dTYtwiAN1I8g3ErBHVouVWzQFPIBlFyHR9MVZNRoAJwNNtVkEz7bWK4wZ7ljxAASfUE4WVfrXYIQKHZLN7ovtiNxfp1AGhn20phSZwxm0CYBDUeZgiAEP4LbxBairnyRipnNnhtFZFEk7RN3IN4OD+8QCpfgr5mivG9pxnaxrDkWmdYPNfDWruxk+O9+t3WNVhBbV2qclZJNkVYdQthhgAADQCpsDQBZyRILMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fvnnv370XveWbB8VI1ff9R+/ZxvRttpK8SkWAN/UcZ+Hn3DSTsetxvpVgRqOnDgn9DLp1QGFvPVG3Bx4B0sHd8CqRNHvrcf0kmPHpAmfdooMVVZApMK84IlIQWhprKN+4Mxxpr7Bep5S+jvDWYK9HaFtES6kMkpa+v/77m1AKbpDssflOqsX0CZb9AoOOi3WGXbOTYKOYv1/+dn11jd7hu4KJvBnrHT5Wu7fJ0zA7QxRHtuW3Mdjdrm016lO4ZDF6erarcszm0xVsPnQRfr3l5GpHx1nmpfLVhe/S67HYiSGf7lAeuFdAvePiv33dcFOYI/KhJhn7doO/xJrQD5Td6MdVgxXfBHULV9z7HOkqkKKONfqrNkqKxd9mHJNbzrSh+V9f+L89bz5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPGsmaZ21rv847iP4Z3TOa64yeBOvEZzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEGJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnr6Vi70i2uXVPtsAP7Cp4Nt1QqMPlAnLByHixaaI51k6CqJC+e0aHOhF2mVZ3/G7/w9v7r4wQdcXNu3rXUNPQHuMDGIy4U7r2FfG9gdTLL23ALf0925Q/b3/mDPRjljAPooTglxxgDyOKeMHslq2jN5+f/OZPeZ2FXTHMhp11fO/siCva4eDXarVKHS01BTNGVW7OlkS3X/T8MMbL90BfenIYernJkM+lE/RvS6htMjQmwZcaJuVMSYOA6xtBpTLTkeL6fl9KhhsWnJNqc0T10EMh62aLdNdI0kaT7QQwZKwmlWRE8PGUDfY0WMU3H6OvP+YNwg+Ry5BtuMRD4UoOC9yUemUKt9dKBRo1Wzf/+nTdeoPZeC2McBG/nYLdsRcQNN6hKKwzZ1z+0yLvmldZ/fyoUf6+qrGKCXnDVBFPWCarD1ObujOdIUJu12ftxdQ48bLPUhDGCfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70SBii4UdfPlrnVfqOZL3OVJT0XQe5nKhQ2zT8iF9PfRlxzDY4EejhL26Xv207Qc4ct37xB3s3sivlbirV6nJ++r/XvImrn3yNO7LBedIa3vLcoTRgq2oaJxkX68iYEl0nP8irQWSP0bl7+uIaIw6NGS5yRT9kuCs28FDOGDYt2/md+l7il3DRXruvdkGuwprgocSZEbr5NFPV8L88ApJhX7hEpsfX3bTvIgUc7ao1Hh+y3bfx6i7X/G+IQz6WMsmwTKeoGfGWHZMXU30tTsYpFpjlSdT6nZPqncKyeeOvoeRohwPU9Nca1X/iHq0fTNM4FS97fIhFVswgXn9m662socOqfSvHYkRV9efXwVIgILdZFEEEjQYDakc4/XZMupQcTz29VlSnCcsr++YdrAUuro4JUrq8G0HSwHMcbHSR+1k4yRL7mfDTQ7uVtGCi2JNl3PJOfRN/RoFsKXeA+TcWJ5jGhFHuno8XEtRfSuH4yzGCf0ILb6CzB6LqlpIberCvdlmcGjNJC4LULOi5Bt/TvbLkMxMMVkizXKKnn6PzFJV6OXPPz9Da+xHCdWr7KDEo1BeD6CEn6uTjBTkq+EKN1Sl9ik0fVftVdZBCOgpnskVbRGDhUt0avGmjaK4GL0/5KthmwcmFc3ZUU0T9hHqm5Dm2DgW2BwxU/f9AZH+wrUJrZEejrP6J4J6kQ1V6CW6FASXuuK4aVZ2L7kegn5i8COQWxla5ceX6N/sdp+jH39E/4aIVFZfdj0H6mFq/4Ob/2W/yDTqEiXc/kLInD5aW1esaUYw5zNMbtOXPuVUSFOPRgO7whKxrnkB02RsKh0wR/JmRsAy0HAbc8DYzbE3UlnNWmyc1mE/aDWjCCGF0FxWIrcvDIeBDBo6AhyWvNi9EQPIMWKB/jrsCBuNnMKGS5w/lnfOo4M0+xOGUSpGAlaHN4XbXwZb2D33tRC2zz42W41WzutjO0O/yrU9mqHNyQSSyhpjRqJbSss9RHsUL95XQjQ3mCJbpRx4fllLHhhL5eZTC5jE37ILV0zByNSri67vXQRcHO2Z7kAMtwt/1a8ukLLSWoNDZThbZHT6f0OJZPXMD06J7jySkXy5JKGgoeDfNr/6AN3wmxnNRFHsBwGNCEr7vzoQ8xUEXvxKmS45S9295NGa85qlKoQ9MUX6uKZRh/I73Dr7BtQTgTzX1VaLf0L+e0QYnXgZjAuaJEYPI4CkQtfnb6697kuwsORhRSlVX+NF8ER+dWkQ1eNwf3xyTxUY4qFRt2hoylfbn2wNdqfngGV+hl7+/Aqtge4FxQJhzsO+grr6eY62/iO0poo6sNggTrE2SIpeuUiXiA+uJn7dRAzc1RRhW0+736XKgXCQ1UTJUkguF5t+IG7O1ECLRehnRJZYYWIcESm0L7JYuAnuqBI+p4d3fOajFbWxC7pdoD5lEGHXtAVrURRWyZSiDiMovB6VaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcjibRYbPwdhBpi3WDzAvO5hR2HDDwNSVS5CMK9va4M20maGgf2hATRBYlpybIAKNOVAwK/HijaW2wMg/EyDd27SA7j7FylzNH2a+QInon5HyQIHFy0wORPxDhL0WeguwW5J9SPFD3nHr1WsV06bUf+xQeiKhkN/oNgmHcfgS5b4dbY5fvygMLnO+pzLbpjwI/HaSiRKqc5uneQZ9k458p3axY6xh1pk3zxXZ8ffhaKVmcAdQKivI1oQIrJp1aX1TcsO8MowrhsuR19cu2l02BBV6ESnMR4hDeqe1Fh5TDVSNmnmgk18JFxgwuyr5n0GNcT00a3j6jEVkya93InOoz9K7SBsykNlDXPWskLxcbeuQh7RRg87nFe0Wn0ITgkOsFHe3c0DRBHENgq1rnbMVyq9kAP4QF2U0tyD72iBfe5F3J1GQ73J6niwXdWU5khm/cZrUVelZfs0gBg+72jUY89D3dvmt5djZYcttdrYotgYroozgb+se+KqBBfqloNRkrWe52XLSVj2sMY0+rdgOuNpolIBdr1END1IhKQYegCWTaojAJXt9FkQLXMkuAapml0J7LmKKoCzTWqI8t1AS6UusVeRgTsmc+Bt+YwXN5rzfnWLG5T64dEyzYPhC9bgixHUGYDJT4GIq1rvgDNc2XlSGyoC8cDo3x4ge4DDgEC0+CjgE5wiB0RRUzqVuDjnWf9qv7IsCx0aQ9l8/Eg9vcK91UulhoEHdyo+63hk9Yu3XBnLGeKl5XTp/NFDiAxsXI8sFk2GYSbBDv0BSZhIfwuWulty1BqdBvNz41luk6IaDvV4P16xMaq5LUpdQsouA4iLfAnBb5trtwc3dHu/BU3GTpWhfdUxSJqqCKkfvKouDeJpr8fEAlW3MznFhy93uwtRUVOcxJ3iu35OyPB+heU4d25XA6bRux9LXgA3LDPOCdiDlJn7JX3Tejk2C9mPFeriVucouFNAg3k9TCCbRcLrI6UeVBhHrNiPcW6lP0TOnIvr9DuhV0rR62/W4Uf8kZ2UwxbWdELlwDAr65tuCbEblc8ZR502ECfqh88/+wOJXC0LvUGmuD0NV2VEBdXZXn2v4fPKqY1wiFGsDseZzJEosFzQRdp5YFY4FLum6F+kEJMUaxWWVoS0IMc/S1Q91q6+3nb2QocYmjCbuGcnwwoWOSmwOGYD+/yCHT1t8Cxi1UgFmC1Q0H9TbnS62oOkM31B1Kpak6wwsKrbx9pvtcqhqHAewajNPbCfweud+3+lZIhWZKru1n9V9JPcfRml2j/aSv8musTGw3XQM4tkfF3yk5qA6d6k5Jnm9nkCa6UrKkPqCY6i1+IxDmVJkmu0htF/V/c+EtLz5aTQAgCSmgMOdISPGdoiUFS2ZX9sMUc1G6ffRD01CcHveCuQhbHf4Z7MwP1djKenQBC86g2kQgKb5bSPvfO14CUFKygOKYcN+4FQx8AQhYJOUcwYR5RvUZutnKlP5gg3ZlVRqMz105X6WtEeNKRl2yTe7FbzPNhPBKm5oh/T8GxwQ/YdqepK+J9v4Nq/jCp+Mq0OTaj7thYYvetWVKp5Q92Wd4WSwvAAuEtZaEgb/UnkbQnoQDe8tu6evWIEMYXPgclQpmojxH1JAnYUUZKxxrYPWeIBYsRQ1VGpVYQxcvDY0c/DRpWRRWislO0H5YWkMN2anuuffgoTS+1hkmeJic+CayKKvhHUxwbBitmcjl2ufT+mmTz5tMilFiDLY5rzjfoC8V5s75mcsCMz+IF/ZdL8TlyNPV9nomGmA/GA3HxC3NfS1QnYiONXinvIFiP/mmQe2M5bsOjg+6QiQVde3JTs4t0UegRu+3m4fC67fSe17RzbBdTxN0pqpg/cFOqV2sfs3WmLzdmvaPkTXtOePp73iz5V9gteYaK5pXhKI6ckTD7jY3Uz8LvKbJHpGbzhj//vvYegDtCzPqF6DkVh/VciCGx9ivbh+6JdbL5oZatTBQZViRpcv8rWtsmjLD8xpSr0WY3UizzJlWxP6q+few0hRZeS4Qg5y7ShBOsbJ/gkZ4W9R8AWE9+bUu7NwffXDCrxr2eXrULxaRxawZ3zvvPFi+bFTd4/VaMVXpqT19bW0EEBj3+E0TIA1ciXO3uuvJOO4pdRbcdINrnZf56sKP4EZPfeOGejalK/q1uD0L69XOAf1QA/69+/nqoj3ftRETQ+9BNyLn0gDdFs4cE1lZsGY6bKSu9CZlL/tuVNcXaDt1YacfWzjje+Jxx+fNwujqYq8mG8s/t0eTtYi9FPlWoz1D564+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+spLIaRl1fyOw537y4uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9c+Gcgvy6TXte4moasj/KdFpHWXgctyGWCc9799REwQXuXUijM/yNb+/Aw9vbzDRcnpa3TtHCIOLEjvs7BfBCJzk8c2wTm1fVrCmDF9a1XuI/C6Ryley4353j8NH5i+3RFyNYotFlSlG2EXJtnndizA4wDa6VJRvZQ8t9zjbPWRSaOd0PsEnoVh7N1L5acfnI7xrGnGcXURLiM5ODpPZFFmE+ddwan43CsY4+r8e7qafWfRkQLqU+cwbkbmFRmz0rxa+kBZY23MG2kpFXQesHK9xm9kShxW+Rqrh8nQG3bVt9IV+4fIbmKkNfJTK0QxeodJ3U85rNxaETSpHSPFd7WCqnZLIWdrRh9qrSjW0XODtcGmiqU4N/4ozPiDmR128Zm8Qyx/Mf5+2Ze1mgJDi9GnQeNjdxcsFuGrW79jiafvDZj8Yjh375jnjAlZxYpxtupI9CL6nbKSNKbTYeCR/Sky4NSdGTss8YZzK/eQrgihWs8rji7t+ojInGrLEnWz37BlwURO7yITgDNtjtM8T5QtsDCYYqpGYkYVxDcLrBiHDJ6AB8/F38UCYSDid/a3wZ2JBHwoZ6650ANpxH519LTJ5yyp0qUvunUSZkAyryJsE+LrDk/PRooMnZtr+B6nTihxyleT5OV9Ve7b9kPMhEY5NZjxgJNhJivT+t3I1iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cNyukc+xCQ73xZx/B9tqbVildUcbyBQi4j/eOKngZupP0ArG7/azqvq8Cdr14bZipozIiCG9vaBsOGTade16hRrJZ/h+DYmCaQVUQWhb1Padjo3EFHrJXsWyq5Yrnzn9Vd5AqqRxOhckmODzTe31v2C+NbrZG08/LCqsFdCUlPDyPr69XTyvo/5OxIv9PR2/sPOfMBmPDtKlm6xrkXkFDsTv7m+gpdDRSqNhrJutb66pLdGEQs7GqqYRdRDen7+MN8bnVYuXciIpvJPHXF16Dirq90eFyQxWVEPVrG75bgQgYTVJ63XMC+dNgl0DbxELZgeRPKGXHiFbGtxkEZeISXP56S1+y7rFI+U/V07+tPrntOHYiCZI07Sqq2F8Glfs1oqLy17sK0K3FjAkdI0Cuedx0iTXUlXmHG8TCQgRpXOIL6yjlVamTSgrtDx/j648XdvLFS+AZQLgA72JJPN9BscTYiEVmRzao830T3z7Aii1oH1IJbaXpco/OdXqr4EBWTEbsc9ErsMl1NUZDAdDt71fVcxVXOTFNZt+2L5jEKDbbbVmw4UbINL+zepMsSi03B1WRW+fnnS/TU10p8rrjVlWeMQwEH5IFd3pVS228+Q98NHQ2iH4W5FXItOoaQpqSCZharLvSRSZsET+CC66eFntdV7u99adJbusBkgz6NmmuczRR+iKJ8v3CHxEygAjMxV7igO9MxSqxgam/6Pgkd5fIalkXvZe6So7dtAVtZZwGk0B7tC1IFLCFSWUjdvnHv6Rr9WgkwJd/JnHL0lInV2bfPEZPkOZrZ/6P2/7DAfKOZPvs2HF80pMzmHA8m58fWoboa/vk1gkXB1wVyclMPv5LznY0ajEyKqfvrzONZt0HQVFlGDiK0KuLK3R5mn9/9jhVFH10C8Lfffn73+5sPl99+63JuV1hhNsqTa6luY5Ys771gv9cLtiNso04wLGIrEb5mJ26XkuY5wMQ+F5sEJsxcKio0IzEFSMuVlADjIr4XJBAfiAU0W2M2HE58sncAep/HBmqvT+wSdV3NEl0KM8u1UbEr36FeO5lDrP2WRntH65qPdE7SY4tdtoPBBiqNLzbZ1r34ehcLYs5GHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrrpVmd3kvwdhsbzlo/eI7ETyQZijjuPuwk/KCZK2Oifbskufmiajvc6ygz6Zz8DtNuDc/ZHpumU1myIeBkVfc8y4pXXdzOXay4yri3ZtG3TisuagoYtAC4PxrMI65zqzKuIR+zkm8RrSrX310bksikr0PVED7MRxjZtOxe49vTN/p2GdusFNH6dZn4rbDRb5v8tw1GyLm8GGHSMZTsZuuHAHOV3pkhEmo2WJTmXBA/ZrrMQw6PDYUdeiKDOZShjfvH93jX5zftRtUmoYkS+TphLc/Odb9KWiaqR3a8VFpmi/U2fa5IaWQ3SDPtRFZ8G0rkZLJxEf0jZQGXuMgAVaHuU42gfVBIJjJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaTsw43a76oDOselrhafCnVFBlgVWscpKGribEg/GF58cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9KCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1StLlUSPwuqVLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epXGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP62S4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8WeCtQ16Yy9fbMw8dnKAY0f0WtmesaGuymjd2ut8lmSPPRK8QRvYaWpynIWu+o9ydiKOjKUggyGaIOL2N7gVcaENnieQDNYMWVSqOGrUiRo3WSkqkRMN2uoLVqgo+ibykj0oRJosHSTPZJwWN5nzFmOzhXNmUHnWOW+m6GG9u9hdNzkrIRUGpsQCmBgiD6C/gZEchQq1WnyIZhIR7nLouRyQweDBffSby6raE29D+QxS0PnM4J5Z4ou6B0qcL/RwjYWKxZVfxhIciQ50zCcoV7dHz00UEK6KkupDBo2HkVovcQGMYNKRedjrHBCWu59hlCECO+tjgYFxITv7D7SF5ozkXoifwtVu1obT42MXFCzpOps+329lNXgRUNI0BVVzTgiI1GJlaboHTUYJoK7u4obEjx9Kxf6xbUre32GLvyIr+fILANTiqAZ8AfqRx8D2gK9p+Z3ZgTV4XMeMnUS4s1hZHdzi2Bxt1lNsSLLMyZYED+YuTtBf+2e+IRZGJAM8YLjSsCs30UFc1zrJu7hBu69fu079pS+HXezp6YJt59fPGLs24PIItY0HdZ5FZZFH+mdgVsx5i6YYhr1iEDaDq57DxOqBR+ZeAndcxOOA4f+uZoapOiXimqzo2n38dnK9++V71QGGMvjVnUSu++RavJOu+6UXTg5jCA21vk7dGjXr4M7jzn7f/98Q7vY1UUtFGDtMG+A1RAvifeeLGwflxnWFLl07QYbNLhVzSn5XzwMvqIZBd9gLpVrXx8kI0JYI00pjDvDu+dVKSw0JhOM9x10mHZLC1B7t0xDKgUT0HYhXVJVMKduTIX0dkk3mIOtGKcLijhdUY6w1mwh3MFt5/WHWR9aMj+g/Ib1d3D67EEmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLB4WO1hqZEzjw9GuXG50GL1WOtta9rJaYz/wmDOss6VMbhM4I64x12CWynaokZWK7RE84X4AyF0aiy28aX4QC+EUq7M3XEtriHfu2wUEy9Gv/hdn6I3YNP8aQDdgy2thEM7PiCzKylAVFsNJ3Ph2Y+nMs2/6ZwEzFjsHwsw/q5ff//AXa/tetI6jptg3QbQ9n2ZxI2aHOm7whir0r41PTr/waABy4Vsfu/4nPc+LLc4drt95HkcmL++TbU/6A1PsOmfo/W8fL+3eqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Rx3ev0ZUwP758jq7eX1z+12v06UqYVz+hp+vlBgnKzJIqRJZS+1FpUilKDHzrh1f/+/979iRIEWqWCWVcnx4gU88KHB7HoxNz3z2v+Y3jxasaqfAVzx8X0m3ZtAfzIxvGHfzAh/DtKaZb6+QzU6bCHL198z6I7J9S0HS+rOM44/9IQc/CtLXofjUiFDayX3jCETzGN3jHOSywoWv8ACPSgbuv0Zs8V+CndVweQqd5eklRHhvnPDUWcnX+7tq9SqPhsQLrCaMfHaeS01T9242uri0qI94vS8MjJ0FEoaFde5yGtSaWuela0wqIFro4z5n9MubbgG1rln/4nZuQAaxJCBdc+ht+0WWBASrbXOsket2hTxpG7z2G11KZRiQPhG4OATY4AGY2+yWvnpj2bj9MLOrHpN7WuzHCCxqyG6fy4nrswPLFWkvCrMrp/EYDHQdZuaywWNCzxnQiUszZolI0R7MNwKQih6yhsJwpj2w9MCgaHdGWg4vOE/Q74BF1/3YJV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3weQKWmCeoFuYprkOq/idlAqLiPKs9cenU8r4Fb/dx1l+t7Ux4AA320iypEtSgj5uSPkef6mfsLTjAfkTXtQNs8BL8Nqap1aN6JlAmRkzjGmnvF3+OMOdBZaLcfhES3LCCxLwVVfYNZMJIpA085kygT1ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpF9EmRgLNVPhJqoSMaqFN5MG8FYAQikE4wRxj9ItUaq3w4pxuhNwtI9lII2xt/B7l0M2rWlIqw6hm5a+J9Y9zSYN4O1TlkELSMh8yIwQ6Z8HmukJZQMGPFkh+xEd7iimMxRRz/AAdlnSDSclEONth1WW4jKStrwS7AgO2+PLEjlZRAF4JVvH5wh0XssTKMVBwrBP2iUY3E08u712/lQs7n4envlGRmSZMfbwfZj3ZBdxtbeF9avC26byqzpML4ZPFRtHUVs3PCYQk9bslx1D9pqkYRlpUhclpK+yXHEb6pCKFaj+AMncePa452XOIJ4IWsiruQaoMChQkD3KYQTh0caQ9HK5UgwKdLKey7YuVWSDlsfogGilJ3V6t4/ehG3k2MXNdSqBngjObNfrwfpqcPM4E0M1VAfiIoLqBeRHuoS6wRzmVpXxezpEwhuRbbI3OEM/hOClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjdjYgwyHOXtFszN3J0YTxZv8Pkq4wSoIbn7UQlwqhPQYIEbPe/QRCuHy9G1+vEZsS4wmhM5myeiCw+Rld4hWTFWiXRBalkgUbyVCkUyN3KfCMQxHZHJ3vxo2JVSN2EiLZx7CjdaIgAh0Mow6XOQLBwPoNfqlPt/XKbu/bKNttyywrYfrlbLE1+hzKwDNyjFl/kBYE7/GCCqoYqbcEBIFEv35qATNLeGpDs92QR/aM/HCmjRoPftZ7Oqbt1oPt6eXuPXn1wq2VcF9B07Qxwg0rqLZy3Wl7ipZ0NIjkTyFaU4i9BwGNB088BnUgax3Tu/vBWOvHw/b0Q6ajDTk9eGveYbxvh4O9wY63AuEAYfD17u7l3t2pSc/OXbQoe1P7Ty5aL9VpBMgeOd4IkK+XHX/cf2SxRhtMc2SHyUc1qQSJeccOkB+TsmPMvQ2YsVHqoQSt56eOXrlTmWVWULOUDxAlwR1PMnJo+K+NHjj0UlIyqddpR1Tng+TeX2sR2cGXiTwh/3X28/ffo6dvL95cP0MXTBsmFhXTS5pDKXwQFy4XMnlfoF2RMMiWnTs8/DHDF0cyxpRM7FXcVf9pTzWEQXNjwCMfbejzfa4LgbT/pu635fgDnEIxUyxCbdK3mWKYx+pO19vIB5yzSrsVkFRIs4JxrJx4smLT3iEC73q4vAruuWb5lJ1G2pnynywj1F7EXl/M7SVPV2fxRuy66xDW8JWGLf+vdxLBJwNe8I4b2irLyMOuTKlSJgYMQjZAaqkWWLA/d2RVi3SscCixj6B0m6dGyD1nKlhLmqjrzy92OXgtXIsv17uok9X8K8XcLAlWFJWK5rJgAgcL7lri6RobRoXRe9PjOZ5yt2/xg27WtX6kZSLGtVfniRVcJVYGmiFtt7pbrE7Y7MgLm0Mk6pzmVGFD8yxaUtkO/rDC55d6xSZ4dq3kiuVN8zD/PVyW3GuqA8bwzX/ss9bVacMKznaTLJ9ol82Svtef2YxsMzg8FDInV8xFz5d9xX2kBVyjdMYcCn5fzZPegc7U+lGrEnoR2KjTUUFjxRppI5WT+BZaQQ2G1Z7At87st56Ed1+wPOd0Oin3DtY7VM4Fjrcl946Sc/V4jGm2e+1Xa3UYEps6OvsclRzbI7Pvs1SICqI25ZiXH1IhJ7AnD8igU41t+avUBr3DZMnEiEmX40SS45s+rT8JyPQvFbXiw+pHrsmZPkNvc1yiz/APpx/lUri6038OH0+0xCtqNSdOsUJfKqo2CHoQ6lIKTWuNKlycavebwW+mkZe+Bx6xkBWru0AKt33Xl28cz3pLE6C6ZaAPvjnqoZjClKe0DrM+j9etpTtNjKxt6B9eppGqhAjasfp58/K4yLNrIzVSY+chZt7CTH8QGK2ZyOVaI11SwuaM2E+eh+oEfZ7s8ILY7Tl8tzk36Cl0hKWCbJ8hCF0+a1ELVQLe8bd0gckGfdLdxrdNBLboF9JGz661K0xgsI+89m1TC1CBWjVgMvsiDije9AEIVP93Kk2hnGdIvu620yvUY915nXod2DHsMMho/jdHbHaavN6xrfoMX+96r2XdJWx9vAvocDfTOOyagEH3bLYJme4YBicUbkixv/gZygZijgQcrXCDLed0zoT31YNwgq5+BS5Hmg4CdkcViiXCbeuA6al/sQVj47NNvXffS2mkN2XjwzYGk2UxcQv87apAcDSwjtrHkWTIy4yJeBPEot4Nu2UoKkz7eAaEVLtsB47FtdHelvcHpnYOsE779u3BusSq5in75+fbrayXbNBKHdnbYW1Zl/x+0PZM9Jklrq2FVJt0B/5XXWLxt70dY2pEul3Ua/U89DRZsvz1BUDfs7cHU4kGu6r7re/e1SgXZFQYJctjREcuq9nAuXAQj/s1rbVN95QjAI6uumPae3guixKLTXMf4drBOH1nr6yoss9QxsRchpUCrG9T1wjtkR89K7LGbE3TdkWff0mVI/BLxfkG/WeFOZszmqMLqHt2zsEgKms6y4iUt+yBgu6/0xly62/tZ8zHtPno3Wa34fCyMqByHznCdP9d/9As4afseHe088mfoY+b0m196zmwxHEnOH54is6zqM1ke2hbHJwjQj3Roba1fWSmcNU1ymUXO+dZLKWqvf0QYv7wduTIW71yIrNTTYsy7RyiHaSwK+/13NdoKikTaSJdpOw69jxQiU3YNUlEhnXMaH8LsPLl9JEhV4pHPOYW1Iin0hijWaVieUNaMDVVGV7Esym3oKM/T13QUdMfu6A91ycQLPTOUAGqVXzjxMKPxs2NordUtJcqE1ujcktMUUvYkbkfYVlQr174/z73KLzw/+HzmkJuf8ypCmfn+e08YPTcbaYdPAePa2vU2mA7uR+IZk0qJuZUqZG463Dfk+yrrfjvJX3QPTsBknVf4nnrGAJXCsLaMumVCiwxGftduri9ZbuPkEGs2n/6Bx0maI0P/GTlkqpp/BFWZ/cZT0/PYfTjM3QO64dRo8pM1CxlhM7nVPnhn7SThbmjOS9NGjpuEbJ14HbRJ7rVKXrnSbM/j/VK3r81Svi00Q37M+ytYbeJZMrVPy6RoAtpmDvAcon1yAQoTaZuK9Q6Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotpqio6PY3aqYefhwdtGylCdO6iq50AmRIlkrnrTsthgIYUqWS+kAHh9KWnpd2cXQDweld0mmSDImmM7iPIj+9gdTO3Y9RS3oeh+T9pecOHMdFqNY8W6V80fshVe/IDiKTZ5b1cBW9TaNOBZjdUm9RJ2pu8M12XEn7QQLZ+hPSEK+TCl3dvPnHu2t0bd8p9JsYmb6yxTZRJfUx2H5cyzC2IIbIkpJbfZQT+TAhnLYHWWjoXNOvs2kRBmmgfgThVgru0HKpYoOmkA+g5Do8mq4go0YD4GywqSab8NnGcoU5yx0jBpDoC8LJulrvEoRAsVu60X2xHYnz6wTSyLCXxpQ6YzCDNgloOMoUBCH4EdwmthB15YtUzGz23CgiiyJpn7gD8XZ4eIdQuAR/zRTlfUsztotlzbHItH6ogbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKlliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+zleRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XOOsWHayogkyBecURkYLQ0lhD+cad4Uh7hfU6pfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLaZPsOwXGHRcrDPsmp0EG8X8/fK366tr9A7fFUzkzVjv8LHavU2ehtkZojiyLb+Nwe52batRn8Ili9HTs12VYzafrmDzoYvw6y0nVzs6zjIvla8ufJdej8VODPl0h/LAvQLqHRf/7euGm8IckQ81ydi3G/wl1oR+oOxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/jbjmNxypg3N//rC/+158ykTc0rCH82ZomvMg4oMnvHWbxAWOdISjbClogumjdpYy35KYVFis/TN+hscUB+HAZLglJoKTVcI7eq1iFStLuSNPtlgToVp5aTUeP9RCVZSdabV3b/0UeqzuTXPsKav0YyatuGf0zmuuMngErxGc8w7tcfju+/srpvM/07mFadw/0ustDXwPapa3SG90Vwu2i/2rguoKNYDi/9gqv9twMA9eME1nVaS4UCouF5794TJ4bJe0emD3LV8YJafXzvYfuIwBDpAw/bVVt2MSoG2GnsQGdqIxKVFG5X9BCFSCDdGNjO4b9efwIlbuKgNN8wSviY98LifgEFdJ96BGlxfNAlNUXlCYHOvm9FCIy5HtBDZzxDCJdYluSXC5czd76b0EYpPm/vdGItPqlsjYMbOPW6OIpnFR1WchpIuTrk+igA6FjTqgN6PSeSL3MZk/23OIREjCU1ybe5Dkw4mcWnSwWQ/TZqZ8QOj9gQctlPf8z2rS87IJjIFHNAD9u5F6p9SRGdMJ1Mt5PvhkQSFw/WNBKRoi9AD6dHHKB0y+7QP7Qox8+zHfhbFSeqHa+fHctQCuweDFMvvuZuu6AdaY2SED3xOJz2uHrjLje8BD2IjKzOTlcizcC3SlKjAMNI0ZHFzTu9PFPjdg6HR4ZRgM8RYx9MDHsSGiSkY5RBMWowSmyqtE7oPTdLxySFYUI5LTfPMsJEHJh/6G/dg4EGiDsjg4uO9SE+QpSGgYdOAakPzLAkSDvbhuIxkBJ2AwQBicF0l+QjzHefR6oDbIZgyJogsmFhk0JRxjgflSacom7AEqpdAwyXCVyHYX/MkTIYg992Dsaq/OBdiOB5wLz66miXGSVezI/BS/TSGk6RmG58O5PBtVbxGODIeLcgH4NHhmyVWmBiqmDaMRLzTHfYZWWREUSaVolA/XCp5t6lHq8Z2fcAyaE1nCJZplOn9Jj/U56TQ5y3gw5V6wCK+R9MhcQ+XZhuRuH67Nir7fXaARyqvJqByb7fmAKUE9LmfY7NOY4/HtAOI4VutSLZS82yh+oQ/zWk4ABpcPdcm/uohoGGVnRTluPQ66uQtyEMkVbDh12nuQEg/hXbX0N4T+zHqqKC603l35OmZqRROWwv3cI8tKYNx8pMUgcPX9zmYmevxGNlHVyd4OuD39NA1Gm9Cx2GzxmEebWjtFtmp7KAesL6SlXHGhjZYxLQ1PGQ0gBzGI35s4cCYQlVyJm4zcxfb3+AAI3OHuoB3YaFSYaEOwkLO/ohH/0rxbgeoMYsh7pK9Tl+7bl28heeMm8BYueDi8W1Gv/phpmLd8zTq8nT/PTO0KKXCapPFx2AH7CAucVffvx7UrGd99eHkhcNgd2BAZB59+Q7MsEY0bMB7miZE9rsN66Bu1De1C3HnuvEfdBejPuCeRdU69+t6bsJ+FhrDccKz5aCiLtQwdwXaTJ2UeggLd6EGF/b3LrKa76EeQPi6hRVdUdWfInzambuuYAPAYfK3PG1xeb7tXtvP9tB7Ptho+BQUAOgBqzOR07t463bB7eK+qIyHF3ufkVKSZdSQmAV4QEDMB0e4XIy5I0+IklqTcq8zkt6VUgXKaaZZPc+lztLdNQv+nheulTu4ZCZTw6M/gTKt5MElM6gDPCwMWUEzTWTUt48VFHVhjlHC0DuThgwwF+YwGtR4gOMnITauK8g9ziWybgDncoBmAGuXVLFB79dTF+8B3X8a8ZiycwiHYRBXVNQIHOBbqjilM6xTOHYA7kEPcxp/3318fCuqckZGmo2egIOH258xtRMH1xog3nWocejBDeKwNKYMdfU/JTJjTIk6IIMrg4s1id+FHuh10bgoOc30Er/8+VU8DBxY1AMbVhgxX2NFh4M6TtMaHVTUgRqWRtyVI4fDU/cNVjpo7Z+FnwAqcKgG+iRfkwW5V2Gz74Q2eNC6+1hFeQgvvGy/1PQkO3APT4c6Z53CzF14o2vGTJEwezUYkB1LrJcZl/K2ihddBelhAaMe4HE0or5hB0aInLcty6kZjlg8fnEHFfWgho88RZ7V4alVc0rzyISnND+A8JKQSkXWnQHmQbpzzHIwH6m1dm7j3sKL5256W7CfTCvavq1B/pf/PwAA////yUKF" } diff --git a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml index c847cfcf2cf9..28ee08472495 100644 --- a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml +++ b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: srx +- name: juniper.srx type: group release: beta default_field: false @@ -11,162 +11,162 @@ description: > reason - - name: source-address + - name: source_address type: ip description: > source address - - name: source-port + - name: source_port type: integer description: > source port - - name: destination-address + - name: destination_address type: ip description: > destination address - - name: destination-port + - name: destination_port type: integer description: > destination port - - name: connection-tag + - name: connection_tag type: keyword description: > connection tag - - name: service-name + - name: service_name type: keyword description: > service name - - name: nat-source-address + - name: nat_source_address type: ip description: > nat source address - - name: nat-source-port + - name: nat_source_port type: integer description: > nat source port - - name: nat-destination-address + - name: nat_destination_address type: ip description: > nat destination address - - name: nat-destination-port + - name: nat_destination_port type: integer description: > nat destination port - - name: nat-connection-tag + - name: nat_connection_tag type: keyword description: > nat connection tag - - name: src-nat-rule-type + - name: src_nat_rule_type type: keyword description: > src nat rule type - - name: src-nat-rule-name + - name: src_nat_rule_name type: keyword description: > src nat rule name - - name: dst-nat-rule-type + - name: dst_nat_rule_type type: keyword description: > dst nat rule type - - name: dst-nat-rule-name + - name: dst_nat_rule_name type: keyword description: > dst nat rule name - - name: protocol-id + - name: protocol_id type: keyword description: > protocol id - - name: policy-name + - name: policy_name type: keyword description: > policy name - - name: source-zone-name + - name: source_zone_name type: keyword description: > source zone name - - name: source-zone + - name: source_zone type: keyword description: > source zone - - name: destination-zone-name + - name: destination_zone_name type: keyword description: > destination zone name - - name: destination-zone + - name: destination_zone type: keyword description: > destination zone - - name: session-id-32 + - name: session_id_32 type: keyword description: > session id 32 - - name: session-id + - name: session_id type: keyword description: > session id - - name: packets-from-client + - name: packets_from_client type: integer description: > packets from client - - name: outbound-packets + - name: outbound_packets type: integer description: > packets from client - - name: bytes-from-client + - name: bytes_from_client type: integer description: > bytes from client - - name: outbound-bytes + - name: outbound_bytes type: integer description: > bytes from client - - name: packets-from-server + - name: packets_from_server type: integer description: > packets from server - - name: inbound-packets + - name: inbound_packets type: integer description: > packets from server - - name: bytes-from-server + - name: bytes_from_server type: integer description: > bytes from server - - name: inbound-bytes + - name: inbound_bytes type: integer description: > bytes from server - - name: elapsed-time + - name: elapsed_time type: date description: > elapsed time @@ -176,7 +176,7 @@ description: > application - - name: nested-application + - name: nested_application type: keyword description: > nested application @@ -191,7 +191,7 @@ description: > roles - - name: packet-incoming-interface + - name: packet_incoming_interface type: keyword description: > packet incoming interface @@ -201,57 +201,57 @@ description: > encrypted - - name: application-category + - name: application_category type: keyword description: > application category - - name: application-sub-category + - name: application_sub_category type: keyword description: > application sub category - - name: application-risk + - name: application_risk type: integer description: > application risk - - name: urlcategory-risk + - name: urlcategory_risk type: integer description: > urlcategory risk - - name: application-characteristics + - name: application_characteristics type: keyword description: > application characteristics - - name: secure-web-proxy-session-type + - name: secure_web_proxy_session_type type: keyword description: > secure web proxy session type - - name: peer-session-id + - name: peer_session_id type: keyword description: > peer session id - - name: peer-source-address + - name: peer_source_address type: ip description: > peer source address - - name: peer-source-port + - name: peer_source_port type: integer description: > peer source port - - name: peer-destination-address + - name: peer_destination_address type: ip description: > peer destination address - - name: peer-destination-port + - name: peer_destination_port type: integer description: > peer destination port @@ -261,17 +261,17 @@ description: > hostname - - name: src-vrf-grp + - name: src_vrf_grp type: keyword description: > - src-vrf-grp + src_vrf_grp - - name: dst-vrf-grp + - name: dst_vrf_grp type: keyword description: > - dst-vrf-grp + dst_vrf_grp - - name: icmp-type + - name: icmp_type type: integer description: > icmp type @@ -281,47 +281,47 @@ description: > process that generated the message - - name: apbr-rule-type + - name: apbr_rule_type type: keyword description: > apbr rule type - - name: dscp-value + - name: dscp_value type: integer description: > apbr rule type - - name: logical-system-name + - name: logical_system_name type: keyword description: > logical system name - - name: destination-interface-name + - name: destination_interface_name type: keyword description: > destination interface name - - name: profile-name + - name: profile_name type: keyword description: > profile name - - name: routing-instance + - name: routing_instance type: keyword description: > routing instance - - name: rule-name + - name: rule_name type: keyword description: > rule name - - name: uplink-tx-bytes + - name: uplink_tx_bytes type: integer description: > uplink tx bytes - - name: uplink-rx-bytes + - name: uplink_rx_bytes type: integer description: > uplink rx bytes @@ -351,25 +351,25 @@ description: > filename - - name: temporary-filename + - name: temporary_filename type: keyword description: > - temporary-filename + temporary_filename - name: name type: keyword description: > name - - name: error-message + - name: error_message type: keyword description: > - error-message + error_message - - name: error-code + - name: error_code type: keyword description: > - error-code + error_code - name: action type: keyword @@ -381,7 +381,7 @@ description: > protocol - - name: protocol-name + - name: protocol_name type: keyword description: > protocol name @@ -391,7 +391,7 @@ description: > type - - name: repeat-count + - name: repeat_count type: integer description: > repeat count @@ -401,22 +401,22 @@ description: > repeat alert - - name: message-type + - name: message_type type: keyword description: > message type - - name: threat-severity + - name: threat_severity type: keyword description: > threat severity - - name: application-name + - name: application_name type: keyword description: > application name - - name: attack-name + - name: attack_name type: keyword description: > attack name @@ -431,112 +431,112 @@ description: > mesagge - - name: epoch-time + - name: epoch_time type: date description: > epoch time - - name: packet-log-id + - name: packet_log_id type: integer description: > packet log id - - name: export-id + - name: export_id type: integer description: > packet log id - - name: ddos-application-name + - name: ddos_application_name type: keyword description: > ddos application name - - name: connection-hit-rate + - name: connection_hit_rate type: integer description: > connection hit rate - - name: time-scope + - name: time_scope type: keyword description: > time scope - - name: context-hit-rate + - name: context_hit_rate type: integer description: > context hit rate - - name: context-value-hit-rate + - name: context_value_hit_rate type: integer description: > context value hit rate - - name: time-count + - name: time_count type: integer description: > time count - - name: time-period + - name: time_period type: integer description: > time period - - name: context-value + - name: context_value type: keyword description: > context value - - name: context-name + - name: context_name type: keyword description: > context name - - name: ruleebase-name + - name: ruleebase_name type: keyword description: > ruleebase name - - name: interface-name + - name: interface_name type: keyword description: > interface name - - name: verdict-source + - name: verdict_source type: keyword description: > verdict source - - name: verdict-number + - name: verdict_number type: integer description: > verdict number - - name: http-host + - name: http_host type: keyword description: > http host - - name: file-category + - name: file_category type: keyword description: > file category - - name: sample-sha256 + - name: sample_sha256 type: keyword description: > sample sha256 - - name: malware-info + - name: malware_info type: keyword description: > malware info - - name: client-ip + - name: client_ip type: ip description: > client ip - - name: tenant-id + - name: tenant_id type: keyword description: > tenant id @@ -561,32 +561,32 @@ description: > state - - name: file-hash-lookup + - name: file_hash_lookup type: keyword description: > file hash lookup - - name: file-name + - name: file_name type: keyword description: > file name - - name: action-detail + - name: action_detail type: keyword description: > action detail - - name: sub-category + - name: sub_category type: keyword description: > sub category - - name: feed-name + - name: feed_name type: keyword description: > feed name - - name: occur-count + - name: occur_count type: integer description: > occur count diff --git a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml index 20c035778eb8..3a0ad4e63bc1 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml @@ -25,7 +25,7 @@ processors: field: event.type value: - info - - diened + - denied - connection if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" - append: @@ -44,26 +44,26 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' @@ -76,12 +76,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -94,12 +94,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-server + field: juniper.srx.bytes_from_server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-server'] != null" + if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -112,12 +112,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.packets-from-server + field: juniper.srx.packets_from_server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-server'] !=null" + if: "ctx.juniper?.srx?.packets_from_server != null" - set: field: server.packets value: '{{destination.packets}}' @@ -134,31 +134,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -171,12 +171,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -189,12 +189,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-client + field: juniper.srx.bytes_from_client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-client'] != null" + if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -207,12 +207,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.packets-from-client + field: juniper.srx.packets_from_client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets value: '{{source.packets}}' @@ -231,32 +231,32 @@ processors: if: "ctx.juniper?.srx?.username != null" - rename: field: juniper.srx.hostname - target_field: source.address + target_field: source.domain ignore_missing: true if: "ctx.juniper?.srx?.hostname != null" - rename: - field: juniper.srx.client-ip + field: juniper.srx.client_ip target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['client-ip'] != null" + if: "ctx.juniper?.srx?.client_ip != null" ###################### ## ECS URL Mapping ## ###################### - rename: - field: juniper.srx.http-host + field: juniper.srx.http_host target_field: url.domain ignore_missing: true - if: "ctx.juniper?.srx['http-host'] != null" + if: "ctx.juniper?.srx?.http_host != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: juniper.srx.protocol-id + field: juniper.srx.protocol_id target_field: network.iana_number ignore_missing: true - if: "ctx.juniper?.srx['protocol-id'] != null" + if: "ctx.juniper?.srx?.protocol_id != null" - geoip: field: source.ip target_field: source.geo @@ -333,14 +333,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.bytes-from-client - - juniper.srx.packets-from-client - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.bytes-from-server - - juniper.srx.packets-from-server + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml index e38f3e096f19..d0bfcdb3035d 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -14,10 +14,10 @@ processors: field: event.category value: network - rename: - field: juniper.srx.application-risk + field: juniper.srx.application_risk target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx['application-risk'] != null" + if: "ctx.juniper?.srx?.application_risk != null" - append: field: event.type value: @@ -55,30 +55,30 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' - if: "ctx.destination?.port != null" + if: "ctx?.destination?.port != null" - convert: field: server.port target_field: server.port @@ -87,12 +87,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -105,12 +105,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-server + field: juniper.srx.bytes_from_server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-server'] != null" + if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -123,12 +123,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.packets-from-server + field: juniper.srx.packets_from_server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-server'] !=null" + if: "ctx.juniper?.srx?.packets_from_server != null" - set: field: server.packets value: '{{destination.packets}}' @@ -145,31 +145,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -182,12 +182,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -200,12 +200,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-client + field: juniper.srx.bytes_from_client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-client'] != null" + if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -218,12 +218,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.packets-from-client + field: juniper.srx.packets_from_client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets value: '{{source.packets}}' @@ -245,19 +245,19 @@ processors: ## ECS Rule Mapping ## ###################### - rename: - field: juniper.srx.policy-name + field: juniper.srx.policy_name target_field: rule.name ignore_missing: true - if: "ctx.juniper?.srx['policy-name'] != null" + if: "ctx.juniper?.srx?.policy_name != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: juniper.srx.protocol-id + field: juniper.srx.protocol_id target_field: network.iana_number ignore_missing: true - if: "ctx.juniper?.srx['protocol-id'] != null" + if: "ctx.juniper?.srx?.protocol_id != null" - geoip: field: source.ip target_field: source.geo @@ -330,12 +330,12 @@ processors: ignore_missing: true - script: lang: painless - source: "ctx['network']['bytes'] = ctx.source.bytes + ctx.destination.bytes" + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" ignore_failure: true - script: lang: painless - source: "ctx['network']['packets'] = ctx.client.packets + ctx.server.packets" + source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" if: "ctx?.client?.packets != null && ctx?.server?.packets != null" ignore_failure: true @@ -364,14 +364,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.bytes-from-client - - juniper.srx.packets-from-client - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.bytes-from-server - - juniper.srx.packets-from-server + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/ingest/idp.yml b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml index 4b4dc3f8fe04..808185410d7b 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/idp.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/idp.yml @@ -25,7 +25,7 @@ processors: field: event.type value: - info - - diened + - denied - connection if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - append: @@ -48,26 +48,26 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' @@ -80,12 +80,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx['nat_destination_port'] != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -98,12 +98,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.inbound-bytes + field: juniper.srx.inbound_bytes target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['inbound-bytes'] != null" + if: "ctx.juniper?.srx?.inbound_bytes != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -116,12 +116,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.inbound-packets + field: juniper.srx.inbound_packets target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['inbound-packets'] !=null" + if: "ctx.juniper?.srx?.inbound_packets !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -138,31 +138,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -175,12 +175,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -193,12 +193,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.outbound-bytes + field: juniper.srx.outbound_bytes target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['outbound-bytes'] != null" + if: "ctx.juniper?.srx?.outbound_bytes != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -211,12 +211,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.outbound-packets + field: juniper.srx.outbound_packets target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.outbound_packets != null" - set: field: client.packets value: '{{source.packets}}' @@ -238,24 +238,24 @@ processors: ## ECS Rule Mapping ## ###################### - rename: - field: juniper.srx.rulebase-name + field: juniper.srx.rulebase_name target_field: rule.name ignore_missing: true - if: "ctx.juniper?.srx['rulebase-name'] != null" + if: "ctx.juniper?.srx?.rulebase_name != null" - rename: - field: juniper.srx.rule-name + field: juniper.srx.rule_name target_field: rule.id ignore_missing: true - if: "ctx.juniper?.srx['rule-name'] != null" + if: "ctx.juniper?.srx?.rule_name != null" ######################### ## ECS Network Mapping ## ######################### - rename: - field: juniper.srx.protocol-name + field: juniper.srx.protocol_name target_field: network.protocol ignore_missing: true - if: "ctx.juniper?.srx['protocol-name'] != null" + if: "ctx.juniper?.srx?.protocol_name != null" ######################### ## ECS message Mapping ## @@ -271,14 +271,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.outbound-bytes - - juniper.srx.outbound-packets - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.inbound-bytes - - juniper.srx.inbound-packets + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.outbound_bytes + - juniper.srx.outbound_packets + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.inbound_bytes + - juniper.srx.inbound_packets ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/ingest/ids.yml b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml index 3b02a1ca3070..039fdd64ccb0 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/ids.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/ids.yml @@ -25,7 +25,7 @@ processors: field: event.type value: - info - - diened + - denied - connection if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' - append: @@ -37,65 +37,65 @@ processors: - set: field: event.action value: flood_detected - if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: scan_detected - if: "ctx.juniper?.srx['attack-name'] == 'TCP port scan!'" + if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" - set: field: event.action value: sweep_detected - if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: fragment_detected - if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: spoofing_detected - if: "ctx.juniper?.srx['attack-name'] == 'IP spoofing!'" + if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" - set: field: event.action value: session_limit_detected - if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: attack_detected - if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: illegal_tcp_flag_detected - if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx["attack-name"])' + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' - set: field: event.action value: tunneling_screen - if: ctx.juniper?.srx['attack-name'].startsWith('Tunnel') + if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" #################################### ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' @@ -108,12 +108,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -126,12 +126,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-server + field: juniper.srx.bytes_from_server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-server'] != null" + if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -144,12 +144,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.packets-from-server + field: juniper.srx.packets_from_server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-server'] !=null" + if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -166,31 +166,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -203,12 +203,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -221,12 +221,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-client + field: juniper.srx.bytes_from_client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-client'] != null" + if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -239,12 +239,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.packets-from-client + field: juniper.srx.packets_from_client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets value: '{{source.packets}}' @@ -266,10 +266,10 @@ processors: ## ECS Network/Geo Mapping ## ############################# - rename: - field: juniper.srx.protocol-id + field: juniper.srx.protocol_id target_field: network.iana_number ignore_missing: true - if: "ctx.juniper?.srx['protocol-id'] != null" + if: "ctx.juniper?.srx?.protocol_id != null" - geoip: field: source.ip target_field: source.geo @@ -347,14 +347,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.bytes-from-client - - juniper.srx.packets-from-client - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.bytes-from-server - - juniper.srx.packets-from-server + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index f0ec5dad4046..a75d81a02353 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -17,6 +17,12 @@ processors: ignore_failure: false trim_value: "\"" +# Removes all empty fields +- script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + # # Parse the date # @@ -45,11 +51,11 @@ processors: value: '{{_ingest.timestamp}}' # Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. -# -> juniper.srx.elapsed-time +# -> juniper.srx.elapsed_time - rename: - field: juniper.srx.elapsed-time + field: juniper.srx.elapsed_time target_field: juniper.srx.duration - if: "ctx.juniper?.srx['elapsed-time'] != null" + if: "ctx.juniper?.srx?.elapsed_time != null" # Sets starts, end and duration when start and duration is known - script: @@ -144,35 +150,35 @@ processors: target_field: observer.name ignore_missing: true - rename: - field: juniper.srx.packet-incoming-interface + field: juniper.srx.packet_incoming_interface target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: juniper.srx.destination-interface-name + field: juniper.srx.destination_interface_name target_field: observer.egress.interface.name ignore_missing: true - rename: - field: juniper.srx.source-interface-name + field: juniper.srx.source_interface_name target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: juniper.srx.interface-name + field: juniper.srx.interface_name target_field: observer.ingress.interface.name ignore_missing: true - rename: - field: juniper.srx.source-zone-name + field: juniper.srx.source_zone_name target_field: observer.ingress.zone ignore_missing: true - rename: - field: juniper.srx.source-zone + field: juniper.srx.source_zone target_field: observer.ingress.zone ignore_missing: true - rename: - field: juniper.srx.destination-zone-name + field: juniper.srx.destination_zone_name target_field: observer.egress.zone ignore_missing: true - rename: - field: juniper.srx.destination-zone + field: juniper.srx.destination_zone target_field: observer.egress.zone ignore_missing: true - rename: @@ -199,7 +205,6 @@ processors: - juniper.srx.dstzone - juniper.srx.duration - syslog_pri - - syslog_hostname ignore_missing: true ################################ diff --git a/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml index 07f000b98f0a..f2abb2bcf9cf 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/secintel.yml @@ -25,7 +25,7 @@ processors: field: event.type value: - info - - diened + - denied - connection if: "ctx.juniper?.srx?.action == 'BLOCK'" - append: @@ -44,26 +44,26 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' @@ -76,12 +76,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -94,12 +94,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-server + field: juniper.srx.bytes_from_server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-server'] != null" + if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -112,12 +112,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.packets-from-server + field: juniper.srx.packets_from_server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-server'] !=null" + if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -134,31 +134,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -171,12 +171,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -189,12 +189,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-client + field: juniper.srx.bytes_from_client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-client'] != null" + if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -207,12 +207,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.packets-from-client + field: juniper.srx.packets_from_client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets value: '{{source.packets}}' @@ -235,28 +235,28 @@ processors: ignore_missing: true if: "ctx.juniper?.srx?.hostname != null" - rename: - field: juniper.srx.client-ip + field: juniper.srx.client_ip target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['client-ip'] != null" + if: "ctx.juniper?.srx?.client_ip != null" ###################### ## ECS URL Mapping ## ###################### - rename: - field: juniper.srx.http-host + field: juniper.srx.http_host target_field: url.domain ignore_missing: true - if: "ctx.juniper?.srx['http-host'] != null" + if: "ctx.juniper?.srx?.http_host != null" ############################# ## ECS Network/Geo Mapping ## ############################# - rename: - field: juniper.srx.protocol-id + field: juniper.srx.protocol_id target_field: network.iana_number ignore_missing: true - if: "ctx.juniper?.srx['protocol-id'] != null" + if: "ctx.juniper?.srx?.protocol_id != null" - geoip: field: source.ip target_field: source.geo @@ -333,14 +333,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.bytes-from-client - - juniper.srx.packets-from-client - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.bytes-from-server - - juniper.srx.packets-from-server + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml index 5f81907fe678..a80e5a94d970 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -14,10 +14,10 @@ processors: field: event.category value: network - rename: - field: juniper.srx.urlcategory-risk + field: juniper.srx.urlcategory_risk target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx['urlcategory-risk'] != null" + if: "ctx.juniper?.srx?.urlcategory_risk != null" - set: field: event.kind value: alert @@ -30,7 +30,7 @@ processors: field: event.type value: - info - - diened + - denied - connection if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - append: @@ -61,26 +61,26 @@ processors: ## ECS Server/Destination Mapping ## #################################### - rename: - field: juniper.srx.destination-address + field: juniper.srx.destination_address target_field: destination.ip ignore_missing: true - if: "ctx.juniper?.srx['destination-address'] != null" + if: "ctx.juniper?.srx?.destination_address != null" - set: field: server.ip value: '{{destination.ip}}' if: "ctx.destination?.ip != null" - rename: - field: juniper.srx.nat-destination-address + field: juniper.srx.nat_destination_address target_field: destination.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-address'] != null" + if: "ctx.juniper?.srx?.nat_destination_address != null" - convert: - field: juniper.srx.destination-port + field: juniper.srx.destination_port target_field: destination.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['destination-port'] != null" + if: "ctx.juniper?.srx?.destination_port != null" - set: field: server.port value: '{{destination.port}}' @@ -93,12 +93,12 @@ processors: ignore_missing: true if: "ctx.server?.port != null" - convert: - field: juniper.srx.nat-destination-port + field: juniper.srx.nat_destination_port target_field: destination.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-destination-port'] != null" + if: "ctx.juniper?.srx?.nat_destination_port != null" - set: field: server.nat.port value: '{{destination.nat.port}}' @@ -111,12 +111,12 @@ processors: ignore_missing: true if: "ctx.server?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-server + field: juniper.srx.bytes_from_server target_field: destination.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-server'] != null" + if: "ctx.juniper?.srx?.bytes_from_server != null" - set: field: server.bytes value: '{{destination.bytes}}' @@ -129,12 +129,12 @@ processors: ignore_missing: true if: "ctx.server?.bytes != null" - convert: - field: juniper.srx.packets-from-server + field: juniper.srx.packets_from_server target_field: destination.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-server'] !=null" + if: "ctx.juniper?.srx?.packets_from_server !=null" - set: field: server.packets value: '{{destination.packets}}' @@ -151,31 +151,31 @@ processors: ## ECS Client/Source Mapping ## ############################### - rename: - field: juniper.srx.source-address + field: juniper.srx.source_address target_field: source.ip ignore_missing: true - if: "ctx.juniper?.srx['source-address'] != null" + if: "ctx.juniper?.srx?.source_address != null" - set: field: client.ip value: '{{source.ip}}' if: "ctx.source?.ip != null" - rename: - field: juniper.srx.nat-source-address + field: juniper.srx.nat_source_address target_field: source.nat.ip ignore_missing: true - if: "ctx.juniper?.srx['nat-source-address'] != null" + if: "ctx.juniper?.srx?.nat_source_address != null" - rename: field: juniper.srx.sourceip target_field: source.ip ignore_missing: true if: "ctx.juniper?.srx?.sourceip != null" - convert: - field: juniper.srx.source-port + field: juniper.srx.source_port target_field: source.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['source-port'] != null" + if: "ctx.juniper?.srx?.source_port != null" - set: field: client.port value: '{{source.port}}' @@ -188,12 +188,12 @@ processors: ignore_missing: true if: "ctx.client?.port != null" - convert: - field: juniper.srx.nat-source-port + field: juniper.srx.nat_source_port target_field: source.nat.port type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['nat-source-port'] != null" + if: "ctx.juniper?.srx?.nat_source_port != null" - set: field: client.nat.port value: '{{source.nat.port}}' @@ -206,12 +206,12 @@ processors: ignore_missing: true if: "ctx.client?.nat?.port != null" - convert: - field: juniper.srx.bytes-from-client + field: juniper.srx.bytes_from_client target_field: source.bytes type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['bytes-from-client'] != null" + if: "ctx.juniper?.srx?.bytes_from_client != null" - set: field: client.bytes value: '{{source.bytes}}' @@ -224,12 +224,12 @@ processors: ignore_missing: true if: "ctx.client?.bytes != null" - convert: - field: juniper.srx.packets-from-client + field: juniper.srx.packets_from_client target_field: source.packets type: long ignore_failure: true ignore_missing: true - if: "ctx.juniper?.srx['packets-from-client'] != null" + if: "ctx.juniper?.srx?.packets_from_client != null" - set: field: client.packets value: '{{source.packets}}' @@ -251,10 +251,10 @@ processors: ## ECS Rule Mapping ## ###################### - rename: - field: juniper.srx.policy-name + field: juniper.srx.policy_name target_field: rule.name ignore_missing: true - if: "ctx.juniper?.srx['policy-name'] != null" + if: "ctx.juniper?.srx?.policy_name != null" ##################### ## ECS URL Mapping ## @@ -292,10 +292,10 @@ processors: ## ECS Network/Geo Mapping ## ############################# - rename: - field: juniper.srx.protocol-id + field: juniper.srx.protocol_id target_field: network.iana_number ignore_missing: true - if: "ctx.juniper?.srx['protocol-id'] != null" + if: "ctx.juniper?.srx?.protocol_id != null" - geoip: field: source.ip target_field: source.geo @@ -372,14 +372,14 @@ processors: ############# - remove: field: - - juniper.srx.destination-port - - juniper.srx.nat-destination-port - - juniper.srx.bytes-from-client - - juniper.srx.packets-from-client - - juniper.srx.source-port - - juniper.srx.nat-source-port - - juniper.srx.bytes-from-server - - juniper.srx.packets-from-server + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 42ee8ec4fc5b..fd46e00e6956 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -19,28 +19,28 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "BLOCK", - "junipersrx.firewall.file-category": "executable", - "junipersrx.firewall.policy-name": "argon_policy", - "junipersrx.firewall.process": "RT_AAMW", - "junipersrx.firewall.session-id-32": "50000002", - "junipersrx.firewall.tag": "SRX_AAMW_ACTION_LOG", - "junipersrx.firewall.verdict-number": "8", - "junipersrx.firewall.verdict-source": "\u201dcloud/blacklist/whitelist\u201d", + "juniper.srx.action": "BLOCK", + "juniper.srx.file_category": "executable", + "juniper.srx.policy_name": "argon_policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.session_id_32": "50000002", + "juniper.srx.tag": "SRX_AAMW_ACTION_LOG", + "juniper.srx.verdict_number": "8", + "juniper.srx.verdict_source": "\u201dcloud/blacklist/whitelist\u201d", "log.level": "informational", "log.offset": 0, "network.iana_number": "6", @@ -52,12 +52,12 @@ "observer.vendor": "Juniper", "server.ip": "187.19.188.200", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.10.10.1", "source.port": 57116, "source.user.name": "user1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "www.mytest.com" }, @@ -68,39 +68,39 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.malware-info": "Eicar:TestVirus", - "junipersrx.firewall.process": "RT_AAMW", - "junipersrx.firewall.sample-sha256": "ABC123", - "junipersrx.firewall.tag": "AAMW_MALWARE_EVENT_LOG", - "junipersrx.firewall.tenant-id": "ABC123456", - "junipersrx.firewall.timestamp": "Thu Jun 23 09:55:38 2016", - "junipersrx.firewall.verdict-number": "9", + "juniper.srx.malware_info": "Eicar:TestVirus", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "ABC123", + "juniper.srx.tag": "AAMW_MALWARE_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.timestamp": "Thu Jun 23 09:55:38 2016", + "juniper.srx.verdict_number": "9", "log.level": "informational", "log.offset": 529, "observer.name": "host-example", "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", - "service.type": "junipersrx", - "source.address": "host.example.com", + "service.type": "juniper", + "source.domain": "host.example.com", "source.ip": "192.0.2.0", "source.user.name": "admin", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -109,9 +109,9 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", "event.outcome": "success", "event.severity": "11", @@ -120,29 +120,29 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", - "junipersrx.firewall.policy-name": "default", - "junipersrx.firewall.process": "RT_AAMW", - "junipersrx.firewall.reason": "malware", - "junipersrx.firewall.state": "added", - "junipersrx.firewall.status": "in_progress", - "junipersrx.firewall.tag": "AAMW_HOST_INFECTED_EVENT_LOG", - "junipersrx.firewall.tenant-id": "ABC123456", - "junipersrx.firewall.th": "7", - "junipersrx.firewall.timestamp": "Thu Jun 23 09:55:38 2016", + "juniper.srx.message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "juniper.srx.policy_name": "default", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.reason": "malware", + "juniper.srx.state": "added", + "juniper.srx.status": "in_progress", + "juniper.srx.tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "juniper.srx.tenant_id": "ABC123456", + "juniper.srx.th": "7", + "juniper.srx.timestamp": "Thu Jun 23 09:55:38 2016", "log.level": "error", "log.offset": 835, "observer.name": "host-example", "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", - "service.type": "junipersrx", - "source.address": "host.example.com", + "service.type": "juniper", + "source.domain": "host.example.com", "source.ip": "192.0.2.0", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -154,9 +154,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", "event.outcome": "success", "event.severity": "165", @@ -165,21 +165,21 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "PERMIT", - "junipersrx.firewall.application": "HTTP", - "junipersrx.firewall.file-category": "executable", - "junipersrx.firewall.file-hash-lookup": "FALSE", - "junipersrx.firewall.file-name": "dummy_file", - "junipersrx.firewall.malware-info": "Testfile", - "junipersrx.firewall.policy-name": "test-policy", - "junipersrx.firewall.process": "RT_AAMW", - "junipersrx.firewall.sample-sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", - "junipersrx.firewall.session-id-32": "502156", - "junipersrx.firewall.tag": "AAMW_ACTION_LOG", - "junipersrx.firewall.url": "dummy_url", - "junipersrx.firewall.verdict-number": "10", + "juniper.srx.action": "PERMIT", + "juniper.srx.application": "HTTP", + "juniper.srx.file_category": "executable", + "juniper.srx.file_hash_lookup": "FALSE", + "juniper.srx.file_name": "dummy_file", + "juniper.srx.malware_info": "Testfile", + "juniper.srx.policy_name": "test-policy", + "juniper.srx.process": "RT_AAMW", + "juniper.srx.sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "juniper.srx.session_id_32": "502156", + "juniper.srx.tag": "AAMW_ACTION_LOG", + "juniper.srx.url": "dummy_url", + "juniper.srx.verdict_number": "10", "log.level": "notification", "log.offset": 1235, "network.iana_number": "6", @@ -191,10 +191,10 @@ "observer.vendor": "Juniper", "server.ip": "10.0.0.1", "server.port": 80, - "service.type": "junipersrx", - "source.address": "dummy_host", + "service.type": "juniper", "source.as.number": 13335, "source.as.organization.name": "Cloudflare, Inc.", + "source.domain": "dummy_host", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", "source.geo.location.lat": -33.494, @@ -202,7 +202,7 @@ "source.ip": "1.1.1.1", "source.port": 60148, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index 5e7a13d7f227..f1be33b90e09 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -12,9 +12,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", "event.risk_score": "1", @@ -25,14 +25,14 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.nat-connection-tag": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "icmp", - "junipersrx.firewall.session-id-32": "6093", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "6093", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", "log.level": "informational", "log.offset": 0, "network.iana_number": "1", @@ -53,13 +53,13 @@ "server.ip": "10.128.0.1", "server.nat.port": 10400, "server.port": 10400, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.0.0.1", "source.nat.ip": "10.0.0.1", "source.nat.port": 594, "source.port": 594, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -72,9 +72,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", "event.risk_score": "1", @@ -84,15 +84,15 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.icmp-type": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "Denied by policy", - "junipersrx.firewall.session-id-32": "7087", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", "log.level": "informational", "log.offset": 850, "network.iana_number": "17", @@ -110,11 +110,11 @@ "rule.name": "MgmtAccess-trust-cleanup", "server.ip": "10.128.0.1", "server.port": 161, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -133,9 +133,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", "event.outcome": "success", "event.severity": "14", @@ -144,12 +144,12 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.encrypted": "No ", - "junipersrx.firewall.icmp-type": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY", + "juniper.srx.encrypted": "No ", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY", "log.level": "informational", "log.offset": 1513, "network.iana_number": "6", @@ -167,7 +167,7 @@ "rule.name": "log-all-else", "server.ip": "5.6.7.8", "server.port": 2003, - "service.type": "junipersrx", + "service.type": "juniper", "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", @@ -178,7 +178,7 @@ "source.ip": "1.2.3.4", "source.port": 56639, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -204,11 +204,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 60000000000, "event.end": "2014-05-01T06:29:10.933-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", "event.outcome": "success", "event.severity": "14", @@ -219,13 +219,13 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.encrypted": "No ", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "unset", - "junipersrx.firewall.session-id-32": "15353", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "unset", + "juniper.srx.session_id_32": "15353", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 1966, "network.bytes": 94, @@ -250,7 +250,7 @@ "server.nat.port": 902, "server.packets": 0, "server.port": 902, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 94, "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", @@ -265,7 +265,7 @@ "source.packets": 1, "source.port": 63456, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -285,9 +285,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", "event.severity": "14", @@ -297,12 +297,12 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "icmp", - "junipersrx.firewall.session-id-32": "100000165", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", "log.level": "informational", "log.offset": 2721, "network.iana_number": "1", @@ -323,7 +323,7 @@ "server.ip": "30.0.0.100", "server.nat.port": 768, "server.port": 768, - "service.type": "junipersrx", + "service.type": "juniper", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -333,7 +333,7 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -353,9 +353,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", "event.severity": "14", @@ -365,12 +365,12 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "icmp", - "junipersrx.firewall.session-id-32": "41", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", "log.level": "informational", "log.offset": 3366, "network.iana_number": "1", @@ -391,13 +391,13 @@ "server.ip": "198.51.100.12", "server.nat.port": 46384, "server.port": 46384, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "192.0.2.1", "source.nat.ip": "192.0.2.1", "source.nat.port": 1, "source.port": 1, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -421,11 +421,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2010-09-30T04:55:07.188-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", "event.severity": "14", @@ -436,13 +436,13 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "response received", - "junipersrx.firewall.service-name": "icmp", - "junipersrx.firewall.session-id-32": "41", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "response received", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "41", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 3933, "network.bytes": 168, @@ -467,7 +467,7 @@ "server.nat.port": 46384, "server.packets": 1, "server.port": 46384, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 84, "source.ip": "192.0.2.1", "source.nat.ip": "192.0.2.1", @@ -475,7 +475,7 @@ "source.packets": 1, "source.port": 1, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -501,11 +501,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 1000000000, "event.end": "2019-04-12T12:29:07.576-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", "event.outcome": "success", "event.risk_score": "4", @@ -517,21 +517,21 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.application": "HTTP", - "junipersrx.firewall.application-category": "Web", - "junipersrx.firewall.application-characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.nat-connection-tag": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "TCP FIN", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "5", - "junipersrx.firewall.src-nat-rule-name": "nat1", - "junipersrx.firewall.src-nat-rule-type": "source rule", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.application": "HTTP", + "juniper.srx.application_category": "Web", + "juniper.srx.application_characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP FIN", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "5", + "juniper.srx.src_nat_rule_name": "nat1", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 4637, "network.bytes": 872, @@ -556,7 +556,7 @@ "server.nat.port": 80, "server.packets": 4, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 337, "source.ip": "10.3.255.203", "source.nat.ip": "10.3.136.49", @@ -564,7 +564,7 @@ "source.packets": 6, "source.port": 47776, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -584,11 +584,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 16000000000, "event.end": "2019-04-13T12:33:22.576-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", "event.outcome": "success", "event.severity": "14", @@ -599,13 +599,13 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "TCP RST", - "junipersrx.firewall.service-name": "junos-smb", - "junipersrx.firewall.session-id-32": "206", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP RST", + "juniper.srx.service_name": "junos-smb", + "juniper.srx.session_id_32": "206", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 5739, "network.bytes": 5849, @@ -630,7 +630,7 @@ "server.nat.port": 445, "server.packets": 9, "server.port": 445, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 4274, "source.ip": "192.168.2.164", "source.nat.ip": "192.168.2.164", @@ -638,7 +638,7 @@ "source.packets": 13, "source.port": 53232, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -664,11 +664,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 8000000000, "event.end": "2018-10-06T23:32:28.898-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", "event.outcome": "success", "event.severity": "14", @@ -679,15 +679,15 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "idle Timeout", - "junipersrx.firewall.service-name": "junos-dns-udp", - "junipersrx.firewall.session-id-32": "220368889", - "junipersrx.firewall.src-nat-rule-name": "NAT_S", - "junipersrx.firewall.src-nat-rule-type": "source rule", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "220368889", + "juniper.srx.src_nat_rule_name": "NAT_S", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 6497, "network.bytes": 208, @@ -712,7 +712,7 @@ "server.nat.port": 53, "server.packets": 1, "server.port": 53, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 3786, "source.as.organization.name": "LG DACOM Corporation", "source.bytes": 72, @@ -729,7 +729,7 @@ "source.packets": 1, "source.port": 52890, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -755,11 +755,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 3000000000, "event.end": "2018-06-30T00:17:25.753-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", "event.outcome": "success", "event.severity": "14", @@ -770,15 +770,15 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "idle Timeout", - "junipersrx.firewall.service-name": "junos-dns-udp", - "junipersrx.firewall.session-id-32": "9621", - "junipersrx.firewall.src-nat-rule-name": "rule001", - "junipersrx.firewall.src-nat-rule-type": "source rule", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "9621", + "juniper.srx.src_nat_rule_name": "rule001", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 7350, "network.bytes": 183, @@ -803,7 +803,7 @@ "server.nat.port": 53, "server.packets": 1, "server.port": 53, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 67, "source.ip": "192.168.255.2", "source.nat.ip": "192.168.0.47", @@ -811,7 +811,7 @@ "source.packets": 1, "source.port": 62047, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -831,11 +831,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 1000000000, "event.end": "2015-09-25T12:19:54.846-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", "event.outcome": "success", "event.severity": "14", @@ -846,16 +846,16 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.dst-nat-rule-name": "NAT-Policy10", - "junipersrx.firewall.encrypted": "No ", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "application failure or action", - "junipersrx.firewall.service-name": "junos-ftp", - "junipersrx.firewall.session-id-32": "24311", - "junipersrx.firewall.src-nat-rule-name": "SNAT-Policy5", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.dst_nat_rule_name": "NAT-Policy10", + "juniper.srx.encrypted": "No ", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "24311", + "juniper.srx.src_nat_rule_name": "SNAT-Policy5", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 8203, "network.bytes": 0, @@ -880,7 +880,7 @@ "server.nat.port": 21, "server.packets": 0, "server.port": 21, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 0, "source.ip": "10.164.110.223", "source.nat.ip": "10.9.1.150", @@ -888,7 +888,7 @@ "source.packets": 0, "source.port": 9057, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -910,9 +910,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", "event.severity": "14", @@ -922,13 +922,13 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "junos-ftp", - "junipersrx.firewall.session-id-32": "5058", - "junipersrx.firewall.src-nat-rule-name": "1", - "junipersrx.firewall.tag": "APPTRACK_SESSION_CREATE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CREATE", "log.level": "informational", "log.offset": 9012, "network.iana_number": "6", @@ -948,7 +948,7 @@ "server.ip": "207.17.137.56", "server.nat.port": 21, "server.port": 21, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 7922, "source.as.organization.name": "Comcast Cable Communications, LLC", "source.geo.city_name": "Plymouth", @@ -963,7 +963,7 @@ "source.nat.port": 14406, "source.port": 3129, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -989,11 +989,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2013-01-19T15:18:17.040-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", "event.severity": "14", @@ -1004,13 +1004,13 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "junos-ftp", - "junipersrx.firewall.session-id-32": "5058", - "junipersrx.firewall.src-nat-rule-name": "1", - "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", "log.level": "informational", "log.offset": 9631, "network.bytes": 48, @@ -1034,7 +1034,7 @@ "server.nat.port": 21, "server.packets": 0, "server.port": 21, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 7922, "source.as.organization.name": "Comcast Cable Communications, LLC", "source.bytes": 48, @@ -1051,7 +1051,7 @@ "source.packets": 1, "source.port": 3129, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1077,11 +1077,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 1000000000, "event.end": "2013-01-19T15:18:18.040-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", "event.severity": "14", @@ -1092,15 +1092,15 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.application": "FTP", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "application failure or action", - "junipersrx.firewall.service-name": "junos-ftp", - "junipersrx.firewall.session-id-32": "5058", - "junipersrx.firewall.src-nat-rule-name": "1", - "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", + "juniper.srx.application": "FTP", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "application failure or action", + "juniper.srx.service_name": "junos-ftp", + "juniper.srx.session_id_32": "5058", + "juniper.srx.src_nat_rule_name": "1", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", "log.level": "informational", "log.offset": 10364, "network.bytes": 248, @@ -1124,7 +1124,7 @@ "server.nat.port": 21, "server.packets": 2, "server.port": 21, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 7922, "source.as.organization.name": "Comcast Cable Communications, LLC", "source.bytes": 144, @@ -1141,7 +1141,7 @@ "source.packets": 3, "source.port": 3129, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1167,11 +1167,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 60000000000, "event.end": "2013-01-19T15:19:18.040-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", "event.severity": "14", @@ -1182,17 +1182,17 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", - "junipersrx.firewall.application": "HTTP", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.nested-application": "FACEBOOK-SOCIALRSS", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.roles": "DEPT1", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "28", - "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", "log.level": "informational", "log.offset": 11130, "network.bytes": 706024, @@ -1217,7 +1217,7 @@ "server.nat.port": 80, "server.packets": 584, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 3356, "source.as.organization.name": "Level 3 Parent, LLC", "source.bytes": 19592, @@ -1232,7 +1232,7 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1254,9 +1254,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", "event.severity": "14", @@ -1266,20 +1266,20 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", - "junipersrx.firewall.application": "HTTP", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.nested-application": "FACEBOOK-SOCIALRSS", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.profile-name": "\u201dpf1\u201d", - "junipersrx.firewall.roles": "DEPT1", - "junipersrx.firewall.routing-instance": "\u201dinstance1\u201d", - "junipersrx.firewall.rule-name": "\u201dfacebook1\u201d", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "28", - "junipersrx.firewall.tag": "APPTRACK_SESSION_ROUTE_UPDATE", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.application": "HTTP", + "juniper.srx.encrypted": "No", + "juniper.srx.nested_application": "FACEBOOK-SOCIALRSS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.profile_name": "\u201dpf1\u201d", + "juniper.srx.roles": "DEPT1", + "juniper.srx.routing_instance": "\u201dinstance1\u201d", + "juniper.srx.rule_name": "\u201dfacebook1\u201d", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "28", + "juniper.srx.tag": "APPTRACK_SESSION_ROUTE_UPDATE", "log.level": "informational", "log.offset": 11929, "network.iana_number": "6", @@ -1300,7 +1300,7 @@ "server.ip": "5.0.0.1", "server.nat.port": 80, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 3356, "source.as.organization.name": "Level 3 Parent, LLC", "source.geo.continent_name": "North America", @@ -1313,7 +1313,7 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1339,11 +1339,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 3000000000, "event.end": "2013-01-19T15:18:23.040-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", "event.severity": "14", @@ -1354,16 +1354,16 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "TCP CLIENT RST", - "junipersrx.firewall.roles": "DEPT1", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "32", - "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", "log.level": "informational", "log.offset": 12689, "network.bytes": 1038, @@ -1388,7 +1388,7 @@ "server.nat.port": 80, "server.packets": 3, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 3356, "source.as.organization.name": "Level 3 Parent, LLC", "source.bytes": 392, @@ -1403,7 +1403,7 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1423,9 +1423,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", "event.severity": "14", @@ -1435,12 +1435,12 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "icmp", - "junipersrx.firewall.session-id-32": "100000165", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE_LS", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "icmp", + "juniper.srx.session_id_32": "100000165", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE_LS", "log.level": "informational", "log.offset": 13489, "network.iana_number": "1", @@ -1461,7 +1461,7 @@ "server.ip": "30.0.0.100", "server.nat.port": 768, "server.port": 768, - "service.type": "junipersrx", + "service.type": "juniper", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", "source.geo.location.lat": 37.751, @@ -1471,7 +1471,7 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1484,9 +1484,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", "event.risk_score": "1", @@ -1496,15 +1496,15 @@ "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.icmp-type": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "Denied by policy", - "junipersrx.firewall.session-id-32": "7087", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_DENY_LS", + "juniper.srx.connection_tag": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.icmp_type": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Denied by policy", + "juniper.srx.session_id_32": "7087", + "juniper.srx.tag": "RT_FLOW_SESSION_DENY_LS", "log.level": "informational", "log.offset": 14137, "network.iana_number": "17", @@ -1522,11 +1522,11 @@ "rule.name": "MgmtAccess-trust-cleanup", "server.ip": "10.128.0.1", "server.port": 161, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1552,11 +1552,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 3000000000, "event.end": "2020-01-19T15:18:23.040-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", "event.severity": "14", @@ -1567,16 +1567,16 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.apbr-rule-type": "\u201ddefault\u201d", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "TCP CLIENT RST", - "junipersrx.firewall.roles": "DEPT1", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "32", - "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE_LS", + "juniper.srx.apbr_rule_type": "\u201ddefault\u201d", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "TCP CLIENT RST", + "juniper.srx.roles": "DEPT1", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "32", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE_LS", "log.level": "informational", "log.offset": 14803, "network.bytes": 1038, @@ -1601,7 +1601,7 @@ "server.nat.port": 80, "server.packets": 3, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 3356, "source.as.organization.name": "Level 3 Parent, LLC", "source.bytes": 392, @@ -1616,7 +1616,7 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1645,11 +1645,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 60000000000, "event.end": "2020-07-14T12:18:11.928-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", "event.severity": "14", @@ -1660,14 +1660,14 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "junos-http", - "junipersrx.firewall.session-id-32": "16118", - "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", - "junipersrx.firewall.tag": "APPTRACK_SESSION_VOL_UPDATE", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-http", + "juniper.srx.session_id_32": "16118", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_VOL_UPDATE", "log.level": "informational", "log.offset": 15606, "network.bytes": 4454, @@ -1692,7 +1692,7 @@ "server.nat.port": 80, "server.packets": 34, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 2322, "source.ip": "10.1.1.100", "source.nat.ip": "172.19.34.100", @@ -1700,7 +1700,7 @@ "source.packets": 42, "source.port": 58943, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1729,11 +1729,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 23755000000000, "event.end": "2020-07-13T21:19:00.041-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", "event.risk_score": "1", @@ -1745,23 +1745,23 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.hostname": "NA NA", - "junipersrx.firewall.nat-connection-tag": "0", - "junipersrx.firewall.peer-destination-address": "0.0.0.0", - "junipersrx.firewall.peer-destination-port": "0", - "junipersrx.firewall.peer-session-id": "0", - "junipersrx.firewall.peer-source-address": "0.0.0.0", - "junipersrx.firewall.peer-source-port": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "idle Timeout", - "junipersrx.firewall.secure-web-proxy-session-type": "NA", - "junipersrx.firewall.session-id-32": "3851", - "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", - "junipersrx.firewall.src-nat-rule-type": "source rule", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CLOSE", + "juniper.srx.connection_tag": "0", + "juniper.srx.hostname": "NA NA", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.peer_destination_address": "0.0.0.0", + "juniper.srx.peer_destination_port": "0", + "juniper.srx.peer_session_id": "0", + "juniper.srx.peer_source_address": "0.0.0.0", + "juniper.srx.peer_source_port": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "idle Timeout", + "juniper.srx.secure_web_proxy_session_type": "NA", + "juniper.srx.session_id_32": "3851", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CLOSE", "log.level": "informational", "log.offset": 16469, "network.bytes": 19200, @@ -1786,7 +1786,7 @@ "server.nat.port": 8883, "server.packets": 96, "server.port": 8883, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 9530, "source.ip": "10.1.1.100", "source.nat.ip": "172.19.34.100", @@ -1794,7 +1794,7 @@ "source.packets": 161, "source.port": 64720, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1816,9 +1816,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", "event.risk_score": "1", @@ -1829,16 +1829,16 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.connection-tag": "0", - "junipersrx.firewall.nat-connection-tag": "0", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.service-name": "junos-dns-udp", - "junipersrx.firewall.session-id-32": "15399", - "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", - "junipersrx.firewall.src-nat-rule-type": "source rule", - "junipersrx.firewall.tag": "RT_FLOW_SESSION_CREATE", + "juniper.srx.connection_tag": "0", + "juniper.srx.nat_connection_tag": "0", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15399", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.src_nat_rule_type": "source rule", + "juniper.srx.tag": "RT_FLOW_SESSION_CREATE", "log.level": "informational", "log.offset": 17715, "network.iana_number": "17", @@ -1859,13 +1859,13 @@ "server.ip": "8.8.8.8", "server.nat.port": 53, "server.port": 53, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.1.1.100", "source.nat.ip": "172.19.34.100", "source.nat.port": 30838, "source.port": 49583, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -1891,11 +1891,11 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 3000000000, "event.end": "2020-07-13T14:12:08.530-02:00", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", "event.severity": "14", @@ -1906,18 +1906,18 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.encrypted": "No", - "junipersrx.firewall.process": "RT_FLOW", - "junipersrx.firewall.reason": "Closed by junos-alg", - "junipersrx.firewall.routing-instance": "default", - "junipersrx.firewall.service-name": "junos-dns-udp", - "junipersrx.firewall.session-id-32": "15361", - "junipersrx.firewall.src-nat-rule-name": "our-nat-rule", - "junipersrx.firewall.tag": "APPTRACK_SESSION_CLOSE", - "junipersrx.firewall.uplink-rx-bytes": "0", - "junipersrx.firewall.uplink-tx-bytes": "0", + "juniper.srx.encrypted": "No", + "juniper.srx.process": "RT_FLOW", + "juniper.srx.reason": "Closed by junos-alg", + "juniper.srx.routing_instance": "default", + "juniper.srx.service_name": "junos-dns-udp", + "juniper.srx.session_id_32": "15361", + "juniper.srx.src_nat_rule_name": "our-nat-rule", + "juniper.srx.tag": "APPTRACK_SESSION_CLOSE", + "juniper.srx.uplink_rx_bytes": "0", + "juniper.srx.uplink_tx_bytes": "0", "log.level": "informational", "log.offset": 18627, "network.bytes": 148, @@ -1942,7 +1942,7 @@ "server.nat.port": 53, "server.packets": 1, "server.port": 53, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 66, "source.ip": "10.1.1.100", "source.nat.ip": "172.19.34.100", @@ -1950,7 +1950,7 @@ "source.packets": 1, "source.port": 63381, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index d7abd7fbb8a4..c8f83bb56cc9 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -4,6 +4,7 @@ "client.bytes": 0, "client.ip": "10.11.11.1", "client.nat.port": 13312, + "client.packets": 0, "client.port": 12345, "destination.bytes": 0, "destination.ip": "187.188.188.10", @@ -16,11 +17,11 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2020-03-02T21:13:03.193-02:00", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", "event.severity": "165", @@ -28,27 +29,27 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "DROP", - "junipersrx.firewall.alert": "no", - "junipersrx.firewall.application-name": "HTTP", - "junipersrx.firewall.attack-name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", - "junipersrx.firewall.epoch-time": "1583190783", - "junipersrx.firewall.export-id": "20175", - "junipersrx.firewall.index": "cnm", - "junipersrx.firewall.message-type": "SIG", - "junipersrx.firewall.packet-log-id": "0", - "junipersrx.firewall.policy-name": "Recommended", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "0", - "junipersrx.firewall.service-name": "SERVICE_IDP", - "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", - "junipersrx.firewall.threat-severity": "HIGH", - "junipersrx.firewall.type": "idp", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", + "juniper.srx.type": "idp", "log.level": "notification", "log.offset": 0, "network.protocol": "TCP", @@ -67,15 +68,16 @@ "server.nat.port": 9757, "server.packets": 0, "server.port": 123, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 0, "source.ip": "10.11.11.1", "source.nat.ip": "0.0.0.0", "source.nat.port": 13312, + "source.packets": 0, "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -83,6 +85,7 @@ "client.bytes": 0, "client.ip": "10.11.11.1", "client.nat.port": 13312, + "client.packets": 0, "client.port": 12345, "destination.bytes": 0, "destination.ip": "187.188.188.10", @@ -95,11 +98,11 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2020-03-02T21:13:03.197-02:00", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", "event.severity": "165", @@ -107,27 +110,27 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "DROP", - "junipersrx.firewall.alert": "no", - "junipersrx.firewall.application-name": "HTTP", - "junipersrx.firewall.attack-name": "TCP:C2S:AMBIG:C2S-SYN-DATA", - "junipersrx.firewall.epoch-time": "1583190783", - "junipersrx.firewall.export-id": "20175", - "junipersrx.firewall.index": "cnm", - "junipersrx.firewall.message-type": "SIG", - "junipersrx.firewall.packet-log-id": "0", - "junipersrx.firewall.policy-name": "Recommended", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "0", - "junipersrx.firewall.service-name": "SERVICE_IDP", - "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", - "junipersrx.firewall.threat-severity": "CRITICAL", - "junipersrx.firewall.type": "idp", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TCP:C2S:AMBIG:C2S-SYN-DATA", + "juniper.srx.epoch_time": "1583190783", + "juniper.srx.export_id": "20175", + "juniper.srx.index": "cnm", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "CRITICAL", + "juniper.srx.type": "idp", "log.level": "notification", "log.offset": 929, "network.protocol": "TCP", @@ -146,15 +149,16 @@ "server.nat.port": 9757, "server.packets": 0, "server.port": 123, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 0, "source.ip": "10.11.11.1", "source.nat.ip": "0.0.0.0", "source.nat.port": 13312, + "source.packets": 0, "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -162,6 +166,7 @@ "client.bytes": 0, "client.ip": "183.78.180.27", "client.nat.port": 0, + "client.packets": 0, "client.port": 45610, "destination.bytes": 0, "destination.ip": "118.127.111.1", @@ -174,11 +179,11 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2007-02-15T07:17:15.719-02:00", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", "event.severity": "165", @@ -186,25 +191,25 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "DROP", - "junipersrx.firewall.alert": "no", - "junipersrx.firewall.application-name": "HTTP", - "junipersrx.firewall.attack-name": "TROJAN:ZMEU-BOT-SCAN", - "junipersrx.firewall.epoch-time": "1507845354", - "junipersrx.firewall.export-id": "15229", - "junipersrx.firewall.message-type": "SIG", - "junipersrx.firewall.packet-log-id": "0", - "junipersrx.firewall.policy-name": "Recommended", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "0", - "junipersrx.firewall.service-name": "SERVICE_IDP", - "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", - "junipersrx.firewall.threat-severity": "HIGH", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", "log.level": "notification", "log.offset": 1857, "network.protocol": "TCP", @@ -223,14 +228,15 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 0, "source.ip": "183.78.180.27", "source.nat.ip": "0.0.0.0", "source.nat.port": 0, + "source.packets": 0, "source.port": 45610, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -238,6 +244,7 @@ "client.bytes": 0, "client.ip": "183.78.180.27", "client.nat.port": 0, + "client.packets": 0, "client.port": 45610, "destination.bytes": 0, "destination.ip": "118.127.30.11", @@ -250,11 +257,11 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.duration": 0, "event.end": "2017-10-12T19:55:55.792-02:00", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", "event.severity": "165", @@ -262,25 +269,25 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "DROP", - "junipersrx.firewall.alert": "no", - "junipersrx.firewall.application-name": "HTTP", - "junipersrx.firewall.attack-name": "TROJAN:ZMEU-BOT-SCAN", - "junipersrx.firewall.epoch-time": "1507845354", - "junipersrx.firewall.export-id": "15229", - "junipersrx.firewall.message-type": "SIG", - "junipersrx.firewall.packet-log-id": "0", - "junipersrx.firewall.policy-name": "Recommended", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "0", - "junipersrx.firewall.service-name": "SERVICE_IDP", - "junipersrx.firewall.tag": "IDP_ATTACK_LOG_EVENT", - "junipersrx.firewall.threat-severity": "HIGH", + "juniper.srx.action": "DROP", + "juniper.srx.alert": "no", + "juniper.srx.application_name": "HTTP", + "juniper.srx.attack_name": "TROJAN:ZMEU-BOT-SCAN", + "juniper.srx.epoch_time": "1507845354", + "juniper.srx.export_id": "15229", + "juniper.srx.message_type": "SIG", + "juniper.srx.packet_log_id": "0", + "juniper.srx.policy_name": "Recommended", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "SERVICE_IDP", + "juniper.srx.tag": "IDP_ATTACK_LOG_EVENT", + "juniper.srx.threat_severity": "HIGH", "log.level": "notification", "log.offset": 2773, "network.protocol": "TCP", @@ -299,14 +306,15 @@ "server.nat.port": 0, "server.packets": 0, "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.bytes": 0, "source.ip": "183.78.180.27", "source.nat.ip": "0.0.0.0", "source.nat.port": 0, + "source.packets": 0, "source.port": 45610, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -318,27 +326,27 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", "event.outcome": "success", "event.severity": "165", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.ddos-application-name": "Webserver", - "junipersrx.firewall.epoch-time": "1319367986", - "junipersrx.firewall.policy-name": "A DoS-Webserver", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "0", - "junipersrx.firewall.service-name": "HTTP", - "junipersrx.firewall.tag": "IDP_APPDDOS_APP_STATE_EVENT", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319367986", + "juniper.srx.policy_name": "A DoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "0", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_STATE_EVENT", "log.level": "notification", "log.offset": 3693, "message": "Connection rate exceeded limit 60", @@ -353,9 +361,9 @@ "rule.name": "DDOS", "server.ip": "172.27.14.203", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -369,37 +377,37 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.O\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", "event.severity": "165", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "NONE", - "junipersrx.firewall.connection-hit-rate": "30", - "junipersrx.firewall.context-hit-rate": "123", - "junipersrx.firewall.context-name": "http-get-url", - "junipersrx.firewall.context-value-hit-rate": "O", - "junipersrx.firewall.ddos-application-name": "Webserver", - "junipersrx.firewall.epoch-time": "1319419711", - "junipersrx.firewall.policy-name": "AppDoS-Webserver", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "O", - "junipersrx.firewall.ruleebase-name": "DDOS", - "junipersrx.firewall.service-name": "HTTP", - "junipersrx.firewall.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", - "junipersrx.firewall.threat-severity": "INFO", - "junipersrx.firewall.time-count": "3", - "junipersrx.firewall.time-period": "60", - "junipersrx.firewall.time-scope": "PEER", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "O", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1319419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "O", + "juniper.srx.ruleebase_name": "DDOS", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", "log.level": "notification", "log.offset": 4165, "network.protocol": "TCP", @@ -414,11 +422,11 @@ "rule.id": "1", "server.ip": "172.27.14.203", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "192.168.14.214", "source.port": 50825, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -432,37 +440,37 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.O\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", "event.severity": "165", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "NONE", - "junipersrx.firewall.connection-hit-rate": "30", - "junipersrx.firewall.context-hit-rate": "123", - "junipersrx.firewall.context-name": "http-get-url", - "junipersrx.firewall.context-value-hit-rate": "O", - "junipersrx.firewall.ddos-application-name": "Webserver", - "junipersrx.firewall.epoch-time": "1419419711", - "junipersrx.firewall.policy-name": "AppDoS-Webserver", - "junipersrx.firewall.process": "RT_IDP", - "junipersrx.firewall.repeat-count": "O", - "junipersrx.firewall.ruleebase-name": "DDOS02", - "junipersrx.firewall.service-name": "HTTP", - "junipersrx.firewall.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", - "junipersrx.firewall.threat-severity": "INFO", - "junipersrx.firewall.time-count": "3", - "junipersrx.firewall.time-period": "60", - "junipersrx.firewall.time-scope": "PEER", + "juniper.srx.action": "NONE", + "juniper.srx.connection_hit_rate": "30", + "juniper.srx.context_hit_rate": "123", + "juniper.srx.context_name": "http-get-url", + "juniper.srx.context_value_hit_rate": "O", + "juniper.srx.ddos_application_name": "Webserver", + "juniper.srx.epoch_time": "1419419711", + "juniper.srx.policy_name": "AppDoS-Webserver", + "juniper.srx.process": "RT_IDP", + "juniper.srx.repeat_count": "O", + "juniper.srx.ruleebase_name": "DDOS02", + "juniper.srx.service_name": "HTTP", + "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "juniper.srx.threat_severity": "INFO", + "juniper.srx.time_count": "3", + "juniper.srx.time_period": "60", + "juniper.srx.time_scope": "PEER", "log.level": "notification", "log.offset": 4895, "network.protocol": "TCP", @@ -477,11 +485,11 @@ "rule.id": "1", "server.ip": "172.30.20.201", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "193.168.14.214", "source.port": 50825, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index 38e22134a940..82da837945a8 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -16,24 +16,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "TCP sweep!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP sweep!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", "log.level": "error", "log.offset": 0, "observer.ingress.interface.name": "fe-0/0/2.0", @@ -44,7 +44,7 @@ "observer.vendor": "Juniper", "server.ip": "40.177.177.1", "server.port": 1433, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 4134, "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", @@ -56,7 +56,7 @@ "source.ip": "113.113.17.17", "source.port": 6000, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -70,24 +70,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "WinNuke attack!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "WinNuke attack!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", "log.level": "error", "log.offset": 294, "observer.ingress.interface.name": "fe-0/0/2.0", @@ -98,11 +98,11 @@ "observer.vendor": "Juniper", "server.ip": "2001:0000:0000:0000:0000:0000:0000:0002", "server.port": 139, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", "source.port": 3240, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -122,24 +122,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "SYN flood!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", "log.level": "error", "log.offset": 644, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -150,7 +150,7 @@ "observer.vendor": "Juniper", "server.ip": "2.2.2.2", "server.port": 50010, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 13335, "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", @@ -160,7 +160,7 @@ "source.ip": "1.1.1.2", "source.port": 40001, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -181,24 +181,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "UDP flood!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_UDP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "UDP flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_UDP", "log.level": "error", "log.offset": 930, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -209,7 +209,7 @@ "observer.vendor": "Juniper", "server.ip": "3.4.2.2", "server.port": 53, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 56041, "source.as.organization.name": "China Mobile communications corporation", "source.geo.city_name": "Wenzhou", @@ -222,7 +222,7 @@ "source.ip": "111.1.1.3", "source.port": 40001, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -241,24 +241,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "ICMP fragment!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_ICMP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "ICMP fragment!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_ICMP", "log.level": "error", "log.offset": 1215, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -268,7 +268,7 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "server.ip": "3.4.2.2", - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 56041, "source.as.organization.name": "China Mobile communications corporation", "source.geo.city_name": "Wenzhou", @@ -280,7 +280,7 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -298,24 +298,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "Record Route IP option!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_IP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Record Route IP option!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", "log.level": "error", "log.offset": 1463, "network.iana_number": "1", @@ -326,7 +326,7 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "server.ip": "3.4.2.2", - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 56041, "source.as.organization.name": "China Mobile communications corporation", "source.geo.city_name": "Wenzhou", @@ -338,7 +338,7 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -350,24 +350,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "Tunnel GRE 6in6!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_IP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 6in6!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", "log.level": "error", "log.offset": 1734, "network.iana_number": "1", @@ -378,10 +378,10 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "server.ip": "1111::11", - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "1212::12", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -397,24 +397,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "Tunnel GRE 4in4!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_IP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "Tunnel GRE 4in4!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_IP", "log.level": "error", "log.offset": 1998, "network.iana_number": "1", @@ -425,7 +425,7 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "server.ip": "11.11.11.1", - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 32328, "source.as.organization.name": "Alascom, Inc.", "source.geo.continent_name": "North America", @@ -434,7 +434,7 @@ "source.geo.location.lon": -97.822, "source.ip": "12.12.12.1", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -451,24 +451,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "alarm-without-drop", - "junipersrx.firewall.attack-name": "SYN flood!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP_DST_IP", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_DST_IP", "log.level": "error", "log.offset": 2266, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -478,9 +478,9 @@ "observer.type": "firewall", "observer.vendor": "Juniper", "server.ip": "2.2.2.2", - "service.type": "junipersrx", + "service.type": "juniper", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -491,24 +491,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "alarm-without-drop", - "junipersrx.firewall.attack-name": "SYN flood!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP_SRC_IP", + "juniper.srx.action": "alarm-without-drop", + "juniper.srx.attack_name": "SYN flood!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP_SRC_IP", "log.level": "error", "log.offset": 2503, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -517,7 +517,7 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 56041, "source.as.organization.name": "China Mobile communications corporation", "source.geo.city_name": "Wenzhou", @@ -529,7 +529,7 @@ "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -543,24 +543,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "TCP port scan!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "TCP port scan!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", "log.level": "error", "log.offset": 2737, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -571,11 +571,11 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.1", "server.port": 10778, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.1.1.100", "source.port": 50630, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -589,24 +589,24 @@ "network", "intrusion_detection" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", "event.severity": "11", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.attack-name": "FIN but no ACK bit!", - "junipersrx.firewall.process": "RT_IDS", - "junipersrx.firewall.tag": "RT_SCREEN_TCP", + "juniper.srx.action": "drop", + "juniper.srx.attack_name": "FIN but no ACK bit!", + "juniper.srx.process": "RT_IDS", + "juniper.srx.tag": "RT_SCREEN_TCP", "log.level": "error", "log.offset": 3028, "observer.ingress.interface.name": "ge-0/0/1.0", @@ -617,11 +617,11 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.1", "server.port": 7, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.1.1.100", "source.port": 42799, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index 11d39634a08b..dfb6b97ea124 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -10,31 +10,31 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "BLOCK", - "junipersrx.firewall.action-detail": "DROP", - "junipersrx.firewall.category": "secintel", - "junipersrx.firewall.feed-name": "Tor_Exit_Nodes", - "junipersrx.firewall.policy-name": "cc_policy", - "junipersrx.firewall.process": "RT_SECINTEL", - "junipersrx.firewall.profile-name": "Blacklist", - "junipersrx.firewall.session-id-32": "572564", - "junipersrx.firewall.sub-category": "Blacklist", - "junipersrx.firewall.tag": "SECINTEL_ACTION_LOG", - "junipersrx.firewall.threat-severity": "0", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "DROP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "Tor_Exit_Nodes", + "juniper.srx.policy_name": "cc_policy", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "Blacklist", + "juniper.srx.session_id_32": "572564", + "juniper.srx.sub_category": "Blacklist", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "0", "log.level": "informational", "log.offset": 0, "network.iana_number": "1", @@ -46,7 +46,7 @@ "observer.vendor": "Juniper", "server.ip": "10.10.0.10", "server.port": 24039, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 16276, "source.as.organization.name": "OVH SAS", "source.geo.continent_name": "Europe", @@ -56,7 +56,7 @@ "source.ip": "5.196.121.161", "source.port": 1, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -70,33 +70,33 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "BLOCK", - "junipersrx.firewall.action-detail": "CLOSE REDIRECT MSG", - "junipersrx.firewall.application": "HTTP", - "junipersrx.firewall.category": "secintel", - "junipersrx.firewall.feed-name": "cc_url_data", - "junipersrx.firewall.occur-count": "0", - "junipersrx.firewall.policy-name": "test", - "junipersrx.firewall.process": "RT_SECINTEL", - "junipersrx.firewall.profile-name": "test-profile", - "junipersrx.firewall.session-id-32": "502362", - "junipersrx.firewall.sub-category": "CC", - "junipersrx.firewall.tag": "SECINTEL_ACTION_LOG", - "junipersrx.firewall.threat-severity": "10", + "juniper.srx.action": "BLOCK", + "juniper.srx.action_detail": "CLOSE REDIRECT MSG", + "juniper.srx.application": "HTTP", + "juniper.srx.category": "secintel", + "juniper.srx.feed_name": "cc_url_data", + "juniper.srx.occur_count": "0", + "juniper.srx.policy_name": "test", + "juniper.srx.process": "RT_SECINTEL", + "juniper.srx.profile_name": "test-profile", + "juniper.srx.session_id_32": "502362", + "juniper.srx.sub_category": "CC", + "juniper.srx.tag": "SECINTEL_ACTION_LOG", + "juniper.srx.threat_severity": "10", "log.level": "informational", "log.offset": 561, "network.iana_number": "6", @@ -108,7 +108,7 @@ "observer.vendor": "Juniper", "server.ip": "10.0.0.1", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 13335, "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", @@ -118,7 +118,7 @@ "source.ip": "1.1.1.1", "source.port": 36612, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "dummy_host" } diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index a1419a76b423..f35daf280201 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -16,25 +16,25 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", "event.severity": "12", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.category": "cat1", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile": "uf1", - "junipersrx.firewall.reason": "BY_BLACK_LIST", - "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", "log.level": "warning", "log.offset": 0, "observer.name": "utm-srx550-b", @@ -43,12 +43,12 @@ "observer.vendor": "Juniper", "server.ip": "103.235.46.39", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "192.168.1.100", "source.port": 58071, "source.user.name": "user01", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -68,9 +68,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", "event.outcome": "success", "event.severity": "12", @@ -79,12 +79,12 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile": "wf-profile", - "junipersrx.firewall.reason": "BY_OTHER", - "junipersrx.firewall.tag": "WEBFILTER_URL_PERMITTED", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "wf-profile", + "juniper.srx.reason": "BY_OTHER", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", "log.level": "warning", "log.offset": 319, "observer.name": "utm-srx550-b", @@ -93,12 +93,12 @@ "observer.vendor": "Juniper", "server.ip": "216.200.241.66", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.10.10.50", "source.port": 1402, "source.user.name": "user02", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "www.checkpoint.com", "url.path": "/css/homepage2012.css" @@ -114,25 +114,25 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", "event.severity": "12", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "file.name": "www.eicar.org/download/eicar.com", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.name": "EICAR-Test-File", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.tag": "AV_VIRUS_DETECTED_MT", - "junipersrx.firewall.temporary-filename": "www.eicar.org/download/eicar.com", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", "log.level": "warning", "log.offset": 664, "observer.ingress.zone": "untrust", @@ -142,7 +142,7 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.103", "server.port": 47095, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 24940, "source.as.organization.name": "Hetzner Online GmbH", "source.geo.continent_name": "Europe", @@ -152,7 +152,7 @@ "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "EICAR-Test-File" }, @@ -165,9 +165,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", "event.outcome": "success", "event.severity": "12", @@ -177,12 +177,12 @@ "connection" ], "file.name": "www.google.com/", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.error-code": "14", - "junipersrx.firewall.error-message": "scan engine is not ready", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.tag": "AV_SCANNER_DROP_FILE_MT", + "juniper.srx.error_code": "14", + "juniper.srx.error_message": "scan engine is not ready", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_SCANNER_DROP_FILE_MT", "log.level": "warning", "log.offset": 1035, "observer.name": "SRX650-1", @@ -191,7 +191,7 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.103", "server.port": 33578, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 15169, "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", @@ -201,7 +201,7 @@ "source.ip": "74.125.155.147", "source.port": 80, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -213,9 +213,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", "event.outcome": "success", "event.severity": "12", @@ -225,10 +225,10 @@ "connection" ], "file.name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.tag": "AV_HUGE_FILE_DROPPED_MT", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_HUGE_FILE_DROPPED_MT", "log.level": "warning", "log.offset": 1323, "observer.name": "SRX650-1", @@ -237,11 +237,11 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.103", "server.port": 51727, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.2.1.101", "source.port": 80, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -252,25 +252,25 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile-name": "antispam01", - "junipersrx.firewall.reason": "Match local blacklist", - "junipersrx.firewall.tag": "ANTISPAM_SPAM_DETECTED_MT", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "antispam01", + "juniper.srx.reason": "Match local blacklist", + "juniper.srx.tag": "ANTISPAM_SPAM_DETECTED_MT", "log.level": "informational", "log.offset": 1595, "observer.egress.zone": "untrust", @@ -279,11 +279,11 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.10.10.1", "source.user.name": "user01", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -297,26 +297,26 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", "event.outcome": "success", "event.severity": "14", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "file.name": "test.cmd", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "drop", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile-name": "content02", - "junipersrx.firewall.reason": "blocked due to file extension block list", - "junipersrx.firewall.tag": "CONTENT_FILTERING_BLOCKED_MT", + "juniper.srx.action": "drop", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "content02", + "juniper.srx.reason": "blocked due to file extension block list", + "juniper.srx.tag": "CONTENT_FILTERING_BLOCKED_MT", "log.level": "informational", "log.offset": 1892, "network.protocol": "http", @@ -328,12 +328,12 @@ "observer.vendor": "Juniper", "server.ip": "198.51.100.2", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "192.0.2.3", "source.port": 58071, "source.user.name": "user01@testuser.com", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] }, { @@ -353,25 +353,25 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", "event.severity": "12", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.category": "cat1", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile": "uf1", - "junipersrx.firewall.reason": "BY_BLACK_LIST", - "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED_LS", + "juniper.srx.category": "cat1", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "uf1", + "juniper.srx.reason": "BY_BLACK_LIST", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED_LS", "log.level": "warning", "log.offset": 2317, "observer.name": "utm-srx550-b", @@ -380,12 +380,12 @@ "observer.vendor": "Juniper", "server.ip": "103.235.46.39", "server.port": 80, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "192.168.1.100", "source.port": 58071, "source.user.name": "user01", "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -401,25 +401,25 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", "event.severity": "12", "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], "file.name": "www.eicar.org/download/eicar.com", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.name": "EICAR-Test-File", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.tag": "AV_VIRUS_DETECTED_MT_LS", - "junipersrx.firewall.temporary-filename": "www.eicar.org/download/eicar.com", + "juniper.srx.name": "EICAR-Test-File", + "juniper.srx.process": "RT_UTM", + "juniper.srx.tag": "AV_VIRUS_DETECTED_MT_LS", + "juniper.srx.temporary_filename": "www.eicar.org/download/eicar.com", "log.level": "warning", "log.offset": 2639, "observer.ingress.zone": "untrust", @@ -429,7 +429,7 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.103", "server.port": 47095, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 24940, "source.as.organization.name": "Hetzner Online GmbH", "source.geo.continent_name": "Europe", @@ -439,7 +439,7 @@ "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "EICAR-Test-File" }, @@ -458,9 +458,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", "event.outcome": "success", "event.risk_score": "0", @@ -470,14 +470,14 @@ "allowed", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.category": "Enhanced_Information_Technology", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile": "WCF1", - "junipersrx.firewall.reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", - "junipersrx.firewall.session-id": "16297", - "junipersrx.firewall.tag": "WEBFILTER_URL_PERMITTED", + "juniper.srx.category": "Enhanced_Information_Technology", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", + "juniper.srx.session_id": "16297", + "juniper.srx.tag": "WEBFILTER_URL_PERMITTED", "log.level": "informational", "log.offset": 3013, "observer.egress.zone": "untrust", @@ -488,11 +488,11 @@ "observer.vendor": "Juniper", "server.ip": "104.26.15.142", "server.port": 443, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.1.1.100", "source.port": 58974, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "datawrapper.dwcdn.net", "url.path": "/" @@ -514,9 +514,9 @@ "network", "malware" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "alert", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", "event.outcome": "success", "event.risk_score": "3", @@ -524,17 +524,17 @@ "event.timezone": "-02:00", "event.type": [ "info", - "diened", + "denied", "connection" ], - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.category": "Enhanced_Advertisements", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile": "WCF1", - "junipersrx.firewall.reason": "BY_SITE_REPUTATION_SUSPICIOUS", - "junipersrx.firewall.session-id": "16490", - "junipersrx.firewall.tag": "WEBFILTER_URL_BLOCKED", + "juniper.srx.category": "Enhanced_Advertisements", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile": "WCF1", + "juniper.srx.reason": "BY_SITE_REPUTATION_SUSPICIOUS", + "juniper.srx.session_id": "16490", + "juniper.srx.tag": "WEBFILTER_URL_BLOCKED", "log.level": "warning", "log.offset": 3552, "observer.egress.zone": "untrust", @@ -545,11 +545,11 @@ "observer.vendor": "Juniper", "server.ip": "85.114.159.93", "server.port": 443, - "service.type": "junipersrx", + "service.type": "juniper", "source.ip": "10.1.1.100", "source.port": 59075, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ], "url.domain": "dsp.adfarm1.adition.com", "url.path": "/" @@ -563,9 +563,9 @@ "event.category": [ "network" ], - "event.dataset": "junipersrx.firewall", + "event.dataset": "juniper.srx", "event.kind": "event", - "event.module": "junipersrx", + "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", "event.outcome": "success", "event.severity": "12", @@ -575,14 +575,14 @@ "connection" ], "file.name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar", - "fileset.name": "firewall", + "fileset.name": "srx", "input.type": "log", - "junipersrx.firewall.action": "BLOCKED", - "junipersrx.firewall.error-code": "7", - "junipersrx.firewall.process": "RT_UTM", - "junipersrx.firewall.profile-name": "Custom-Sophos-Profile", - "junipersrx.firewall.reason": "exceeding maximum content size", - "junipersrx.firewall.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT", + "juniper.srx.action": "BLOCKED", + "juniper.srx.error_code": "7", + "juniper.srx.process": "RT_UTM", + "juniper.srx.profile_name": "Custom-Sophos-Profile", + "juniper.srx.reason": "exceeding maximum content size", + "juniper.srx.tag": "AV_FILE_NOT_SCANNED_DROPPED_MT", "log.level": "warning", "log.offset": 4078, "observer.egress.zone": "untrust", @@ -593,7 +593,7 @@ "observer.vendor": "Juniper", "server.ip": "10.1.1.100", "server.port": 58954, - "service.type": "junipersrx", + "service.type": "juniper", "source.as.number": 16625, "source.as.organization.name": "Akamai Technologies, Inc.", "source.geo.continent_name": "Europe", @@ -603,7 +603,7 @@ "source.ip": "23.209.86.45", "source.port": 80, "tags": [ - "junipersrx-firewall forwarded" + "juniper-srx forwarded" ] } ] \ No newline at end of file From cbc0d5b889b258d9ceff1e2d0ea363c6c52c5e36 Mon Sep 17 00:00:00 2001 From: P1llus Date: Thu, 20 Aug 2020 09:17:49 +0200 Subject: [PATCH 04/14] updating a comment in pipeline.yml --- x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index a75d81a02353..2989ba7478f2 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -17,7 +17,7 @@ processors: ignore_failure: false trim_value: "\"" -# Removes all empty fields +# Converts all kebab-case key names to snake_case - script: lang: painless source: >- From a3f859b52d4d6472b95b8d68b5e23da9aed0cd34 Mon Sep 17 00:00:00 2001 From: P1llus Date: Tue, 22 Sep 2020 07:49:56 +0200 Subject: [PATCH 05/14] updating filebeat.reference.yml --- x-pack/filebeat/filebeat.reference.yml | 4 +--- x-pack/filebeat/module/juniper/_meta/config.yml | 4 +--- x-pack/filebeat/modules.d/juniper.yml.disabled | 4 +--- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index eaba83c9dca8..cc994b45caca 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1030,7 +1030,6 @@ filebeat.modules: # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -<<<<<<< HEAD netscreen: enabled: true @@ -1050,7 +1049,7 @@ filebeat.modules: # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -======= + srx: enabled: true @@ -1063,7 +1062,6 @@ filebeat.modules: # The port to listen for syslog traffic. Defaults to 9006. #var.syslog_port: 9006 ->>>>>>> stashing changes for later #-------------------------------- Kafka Module -------------------------------- - module: kafka diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 2f121a65642a..7f9926567886 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -17,7 +17,6 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -<<<<<<< HEAD netscreen: enabled: true @@ -37,7 +36,7 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -======= + srx: enabled: true @@ -50,4 +49,3 @@ # The port to listen for syslog traffic. Defaults to 9006. #var.syslog_port: 9006 ->>>>>>> stashing changes for later diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 846a28fad633..6ffe87834a43 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -20,7 +20,6 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -<<<<<<< HEAD netscreen: enabled: true @@ -40,7 +39,7 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local -======= + srx: enabled: true @@ -53,4 +52,3 @@ # The port to listen for syslog traffic. Defaults to 9006. #var.syslog_port: 9006 ->>>>>>> stashing changes for later From 5902c5e700eafcb79fa450ce4c1922df6771595b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 24 Sep 2020 11:40:41 +0200 Subject: [PATCH 06/14] Small fix for docs --- filebeat/docs/modules/juniper.asciidoc | 1 + x-pack/filebeat/module/juniper/_meta/docs.asciidoc | 1 + 2 files changed, 2 insertions(+) diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index 7b06af301feb..a2d2a0100d34 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -14,6 +14,7 @@ This is a module for ingesting data from the different Juniper Products. Current - `srx` fileset: Supports Juniper SRX logs - `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index a0e63c5fd9f4..3e145ea81c90 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -9,6 +9,7 @@ This is a module for ingesting data from the different Juniper Products. Current - `srx` fileset: Supports Juniper SRX logs - `junos` fileset: Supports Juniper JUNOS logs +- `netscreen` fileset: Supports Juniper Netscreen logs include::../include/gs-link.asciidoc[] From 327f3f486ab2e33873bddd2b5186dc4c0c6731f9 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 24 Sep 2020 13:06:36 +0200 Subject: [PATCH 07/14] Fix parsing of juniper.srx.timestamp --- x-pack/filebeat/module/juniper/srx/ingest/atp.yml | 14 ++++++++++++++ .../module/juniper/srx/test/atp.log-expected.json | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml index 3a0ad4e63bc1..b93e8da9f981 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/atp.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/atp.yml @@ -327,6 +327,20 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true +############### +## Timestamp ## +############### +- date: + if: 'ctx.juniper.srx?.timestamp != null' + field: juniper.srx.timestamp + target_field: juniper.srx.timestamp + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + on_failure: + - remove: + field: + - juniper.srx.timestamp ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index fd46e00e6956..efac461a7c0d 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -87,7 +87,7 @@ "juniper.srx.sample_sha256": "ABC123", "juniper.srx.tag": "AAMW_MALWARE_EVENT_LOG", "juniper.srx.tenant_id": "ABC123456", - "juniper.srx.timestamp": "Thu Jun 23 09:55:38 2016", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", "juniper.srx.verdict_number": "9", "log.level": "informational", "log.offset": 529, @@ -131,7 +131,7 @@ "juniper.srx.tag": "AAMW_HOST_INFECTED_EVENT_LOG", "juniper.srx.tenant_id": "ABC123456", "juniper.srx.th": "7", - "juniper.srx.timestamp": "Thu Jun 23 09:55:38 2016", + "juniper.srx.timestamp": "2016-06-23T09:55:38.000Z", "log.level": "error", "log.offset": 835, "observer.name": "host-example", From 5aa0753b68d875195caa0014e4b7933f46c39615 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 24 Sep 2020 13:07:34 +0200 Subject: [PATCH 08/14] Fix bad samples --- .../filebeat/module/juniper/srx/test/idp.log | 4 ++-- .../juniper/srx/test/idp.log-expected.json | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log b/x-pack/filebeat/module/juniper/srx/test/idp.log index 513cc77cc4c7..c05d9732fb5d 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log @@ -3,5 +3,5 @@ <165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] <165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] <165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] -<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="rethO.O" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="O" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="O" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] -<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.O" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="rethO.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="O" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="O" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index c8f83bb56cc9..d3748888ec42 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -380,7 +380,7 @@ "event.dataset": "juniper.srx", "event.kind": "alert", "event.module": "juniper", - "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.O\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", "event.severity": "165", "event.timezone": "-02:00", @@ -395,12 +395,12 @@ "juniper.srx.connection_hit_rate": "30", "juniper.srx.context_hit_rate": "123", "juniper.srx.context_name": "http-get-url", - "juniper.srx.context_value_hit_rate": "O", + "juniper.srx.context_value_hit_rate": "0", "juniper.srx.ddos_application_name": "Webserver", "juniper.srx.epoch_time": "1319419711", "juniper.srx.policy_name": "AppDoS-Webserver", "juniper.srx.process": "RT_IDP", - "juniper.srx.repeat_count": "O", + "juniper.srx.repeat_count": "0", "juniper.srx.ruleebase_name": "DDOS", "juniper.srx.service_name": "HTTP", "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT", @@ -411,7 +411,7 @@ "log.level": "notification", "log.offset": 4165, "network.protocol": "TCP", - "observer.egress.interface.name": "rethO.O", + "observer.egress.interface.name": "reth0.0", "observer.egress.zone": "untrust", "observer.ingress.interface.name": "reth1.O", "observer.ingress.zone": "trust", @@ -443,7 +443,7 @@ "event.dataset": "juniper.srx", "event.kind": "alert", "event.module": "juniper", - "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.O\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"rethO.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"O\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"O\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", "event.severity": "165", "event.timezone": "-02:00", @@ -458,12 +458,12 @@ "juniper.srx.connection_hit_rate": "30", "juniper.srx.context_hit_rate": "123", "juniper.srx.context_name": "http-get-url", - "juniper.srx.context_value_hit_rate": "O", + "juniper.srx.context_value_hit_rate": "0", "juniper.srx.ddos_application_name": "Webserver", "juniper.srx.epoch_time": "1419419711", "juniper.srx.policy_name": "AppDoS-Webserver", "juniper.srx.process": "RT_IDP", - "juniper.srx.repeat_count": "O", + "juniper.srx.repeat_count": "0", "juniper.srx.ruleebase_name": "DDOS02", "juniper.srx.service_name": "HTTP", "juniper.srx.tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", @@ -474,9 +474,9 @@ "log.level": "notification", "log.offset": 4895, "network.protocol": "TCP", - "observer.egress.interface.name": "rethO.1", + "observer.egress.interface.name": "reth0.1", "observer.egress.zone": "untrust", - "observer.ingress.interface.name": "reth3.O", + "observer.ingress.interface.name": "reth3.0", "observer.ingress.zone": "trust", "observer.name": "SRX34001", "observer.product": "SRX", From b5c3b1bb7c4237c10ebb95fb64eed2215fa62661 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 24 Sep 2020 13:13:20 +0200 Subject: [PATCH 09/14] Remove some fields to make the index-pattern smaller --- filebeat/docs/fields.asciidoc | 230 ------------------ x-pack/filebeat/module/juniper/fields.go | 2 +- .../module/juniper/srx/_meta/fields.yml | 110 --------- 3 files changed, 1 insertion(+), 341 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9593f39f8d02..9b951858ee28 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -88097,46 +88097,6 @@ type: keyword -- -*`juniper.srx.source_address`*:: -+ --- -source address - - -type: ip - --- - -*`juniper.srx.source_port`*:: -+ --- -source port - - -type: integer - --- - -*`juniper.srx.destination_address`*:: -+ --- -destination address - - -type: ip - --- - -*`juniper.srx.destination_port`*:: -+ --- -destination port - - -type: integer - --- - *`juniper.srx.connection_tag`*:: + -- @@ -88157,46 +88117,6 @@ type: keyword -- -*`juniper.srx.nat_source_address`*:: -+ --- -nat source address - - -type: ip - --- - -*`juniper.srx.nat_source_port`*:: -+ --- -nat source port - - -type: integer - --- - -*`juniper.srx.nat_destination_address`*:: -+ --- -nat destination address - - -type: ip - --- - -*`juniper.srx.nat_destination_port`*:: -+ --- -nat destination port - - -type: integer - --- - *`juniper.srx.nat_connection_tag`*:: + -- @@ -88263,46 +88183,6 @@ type: keyword policy name -type: keyword - --- - -*`juniper.srx.source_zone_name`*:: -+ --- -source zone name - - -type: keyword - --- - -*`juniper.srx.source_zone`*:: -+ --- -source zone - - -type: keyword - --- - -*`juniper.srx.destination_zone_name`*:: -+ --- -destination zone name - - -type: keyword - --- - -*`juniper.srx.destination_zone`*:: -+ --- -destination zone - - type: keyword -- @@ -88327,32 +88207,12 @@ type: keyword -- -*`juniper.srx.packets_from_client`*:: -+ --- -packets from client - - -type: integer - --- - *`juniper.srx.outbound_packets`*:: + -- packets from client -type: integer - --- - -*`juniper.srx.bytes_from_client`*:: -+ --- -bytes from client - - type: integer -- @@ -88363,16 +88223,6 @@ type: integer bytes from client -type: integer - --- - -*`juniper.srx.packets_from_server`*:: -+ --- -packets from server - - type: integer -- @@ -88383,16 +88233,6 @@ type: integer packets from server -type: integer - --- - -*`juniper.srx.bytes_from_server`*:: -+ --- -bytes from server - - type: integer -- @@ -88453,16 +88293,6 @@ type: keyword roles -type: keyword - --- - -*`juniper.srx.packet_incoming_interface`*:: -+ --- -packet incoming interface - - type: keyword -- @@ -88497,26 +88327,6 @@ type: keyword -- -*`juniper.srx.application_risk`*:: -+ --- -application risk - - -type: integer - --- - -*`juniper.srx.urlcategory_risk`*:: -+ --- -urlcategory risk - - -type: integer - --- - *`juniper.srx.application_characteristics`*:: + -- @@ -88663,16 +88473,6 @@ type: integer logical system name -type: keyword - --- - -*`juniper.srx.destination_interface_name`*:: -+ --- -destination interface name - - type: keyword -- @@ -88733,16 +88533,6 @@ type: integer url path -type: keyword - --- - -*`juniper.srx.url`*:: -+ --- -url domain - - type: keyword -- @@ -89063,16 +88853,6 @@ type: keyword ruleebase name -type: keyword - --- - -*`juniper.srx.interface_name`*:: -+ --- -interface name - - type: keyword -- @@ -89097,16 +88877,6 @@ type: integer -- -*`juniper.srx.http_host`*:: -+ --- -http host - - -type: keyword - --- - *`juniper.srx.file_category`*:: + -- diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index a430581f58c5..e22907d02447 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvW2TGzeSIPx9fwUefzhJDrlly7b2Rjc7F9ru9rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsEqhu7d18mLCaZCKRSCTyPb9Dt3TzGv1RCVZS9S8IGWY4fY3+w/0B/cen97/d/AtCOdVEsdIwKV6jv/0LQqj+DZozynN99i/I/9dr+NT+7zskcEFfI0HNWqrbMyYMVXNM6Jn9e/M1hOSKqrVihr5GRlXtT8ympK8tjmup8tbfczrHFTcZLPkazTHXtPPxAN36f+9xQZGcI7OkNWKoQQytl1RR+MwoPJ8zgpZYoxmlAsmZpmpF87PB/pTG99jMQsmqPHwrfaJulwWsBead7Y2vPrZ+aIntIoVedP6+e4XxAxucyscl0/Z7iGlUaZojIxHBpak8/RVeo4JqjRf239ggIguq7aal/bwHGqG3coEuKJE5sHFgIw4W6yN17HZquHRFhcns1iID9ggnpr4nuQaaEykMFUbb+8GENliYGg0dxNGw4hgEc2z6HwyxYw4nuwTCBq2XjCwRRppqzaRAS2Y0wug9Nb8zI6jW9emfDVij2axeyornSNAVVWhGG74rsdIUvaMGW9QwmitZtJZ6+lYu9ItrTG6p0c8G4C+YosTwzXNkPN4YfaBOWDgOFy00z4KE5HRF+RGU5FL072eHkhe0VJRg4zHJ6ZwJmiMpOKBl8IxTVOAyjFWhF1m0C7PjjN/5e3518QNaYV75G89yKgybM8+d9A4Tg7hcuPNSg4OA3TEL3nMLfM8eR4mVYaTiWMHv/cGejXLGAPRRnBLijAHkcU4ZPZLVtGfy8v+dye4zsaumOZDTrq+c/ZHBRvrH8miwW+FjhF5y1BTVslIk0dt7OtlS3f/TMNMGG1pQYR4jcrjKmckIx707/EjQo8KozWNEbGl1qseIGBPHIZZWY6olx+PltJziY6RHWrLNKc1j2lAjek3Izmx9sXYLWGwGeshASTjNiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2XApiHwds5GO3bEfEzYqlFYdt6p7bZdicEdy+z2/lAl2uqDDoBoQzqkROlTVBFPWCarD1ObujOdLUWCCdH3fX0OMGS30IA9gnGyzNIQxA3+tQhp7A+P6l4xhzsK970OR+NFhKnUhfbfPlr1KbtojkfY7UVORMLOoPdYhtWj6kr4e+7BgGG/xolLBX16ufEM5zZWXl2HXvE3eweyO/VuKuXqUm76v/e8lrqZVeNvTlgnOktb1lOcJowVZUNE6yr1cRsCQ6zn+R1gLJH6Py93VENEYdGrLcZIp+SXDW7eAhHDDse7YBKl+6pdE1XKTn3pttMPq4KSkieChBZhRRZpZUoU9XwvzwCkmFfuESmx9fohnWwEV1gGzOFpUC1W/Pvo9Rd7/ifUMYNJ3xGcG/YH+9kKncbLus43rlr97BINUaqzyZUteSaK1ttyl5df25o+9hpCjH/SNFSG+0oYV/RD3aFtqSOk7Vjnj231KxBROY17/pait76JBK/9qRGHF1/flVgAQe/QElTidBg9GQyjFeny2jDhXHY1+fJcU5VZPErn+FpdDVxSlRUodvO1gKYI6LlT5qJxsnWXI/G64VrautogUXxZou55JzSoxUX6MAttR7gJwby3NMI+JIR3OLaUdRfSv7agvaQehHaPEVZPZYVNVCakh2K6RAs83g0BBS9EtFtbEANStKvvHnZL9sBT2imCyRZjlFT79HZqkq9PLnn5+hNdZIUyqaVXZQ4lEorwdQQpdSaJqOFOSr4QoiK2Ean0JVzJzQs1dZByGgp3gmV7RFDCaCmZW1eNNGUVyM3h/y1bDNA5OK5qzq62kxCPVNSHNsHAtsjpj5Z/Xy+x/+op1If1GCAK2R/udgN/+09uBbvKEKvUSXguBSV9xFVqxJeS+5HoJ+YvAjkFsZWuXHl+jf7Hafox9/RP+GiFRWX4Zd+EWfo//Bzf+yX2QadYnyTfAIhczpo7V1xZpmBHM+w+Q2rQbskBPSwLXBxtkVlohU5KVkwoBpYmg4wRmYI6NKyUT5aVt9UJeUMMwBY8BUG6msZi02TuuwH6wwZ7ljjBBSCM1lJXL7wnAKyDOx8MrR3uTF7o0YQI4RC/TXYUfYaOQUNlzi/LG8cx4dpNmfFBXUKEYCVoc3hdtfBlvYPfe1ELbPPjZbjVbO62M7Q7/KtT2aoc3JBJLKGmNGoltKyz1EexQv3ldCNCUJ1TpbsTzLU0VdL2vJs6CCKmzgkueWgi27cMWUqTC3RnvH9y4CLg5WMGt2Q6wciOF24a/61QVSVlprcKgA0bBaUNN8bS8ltEqU9PTglHCZcLspoZKEgoaC/+qi9r1+oIU0FN14fieKwkM724wJSvu/OhDzFQRe/EqZLjlLmdnwqM15zQZq/6PQzazMTcjvcOvsG+B5vea62mrxT8h/jwijEy9zxh8gRm9XtcbR9fmba6/7EiwseVhRStXXeBE8kV9dGkT1ONwfn9xTBYY4mO4hV2rXlK+2P9ka7E7PAcv8DL38+RVaA90LigXCnId9BeDUBzVp6z9Ca6qoA4sN4hRrg6TolYt0ifjgauLXTcTAXU0RtvW0+12qHAgHWU2ULIXkcrHpB+LmTA20WIR+RmSJFSbGEdFe6g3gD05zgSrhc3p4x2c+WlEbu6DbBepTBhF2xC7BoiiskilFHUZQeD0q00Cy9tRKTEBjdTEK4X0OkpBK1RC1wSLHKkdCqgJz9mcov1eqIkif3Gc5HE0iWc0GT9K9iLTFukHmBWdzCjsOGPiaEinyEQV7e9yZNin9LDs2xASRRcmpCTLAqBMVgwJvFOuJwVa9mTIPxMg3du0gO4+xcpczR9mvkMIsIx3Ttj41Vs7LNsspfyDCX4o8BdktyD+lSN1tYYdYtKvXKqZLr/3Yp/BARCW70W+QoXfGXz60okq3yinyXXlggfM9ldk2FMfa5rZMj0iV0zzdO+iTbPwzpZsVax2jzrRpvtiOrw9fKyWLM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn7Z9rIpsMCLUGkuQhzCO7W96JByuGrEzBON5Fq4yJjBRdn3DHqM7WoWxeHtMxqRJbPWjcypPkPvKm3ATGoDtbcSm5G8XGzokYe0U4DN5xbvFZ1CE4JDrhd0tFN0ThUVxDEEtqp1zlYst5oN8ENYkN3Uguxjj3jhTd6VTE22w+15uljQneVEZvjGbVZboWf1NYsUMOhu32jEQx914Ty30riRZ2eDJZt0MlnFlkDFQJE7FWJD/9hXBTTILxWtJmMly92Oi7bycY01AiTyEb4B5H6ITdSISkGHoAlk2qIwCV7fRZEC1zJLgGqZpdCey5iiqAv0ZXSoCXSl1ivyMCZkz3wMvjGD5/Jeb86xYnOfXDsmWLB9IHrdEGI7gjAZKPExFGtd8dRhpxErSlaGyIK+cDg0xgtkZcv5gEOw8CToGJAjDEJXVDGTsnRkx8bq1X0RYCuys8vlk7Z4cdA70L3STaWLhQZxp5ISNmdbwyes3bpgzlhPFa8rp89mChxA42Jk+bZgonZR5T7IEsTbm81THcLnrpXetgSlQr/d+NRYpuuEgL5fDdavT2isSlKXUrOIguMg3gJzWuSuwxSk8td3d7QLT8VNlq510T1FkagKqhi5rywK7m2CKrYdG2tXsjU3w4kld78HW1tRkUvlE2Z37kzO/niA7jV1aFfO/qAkbEdbxNLXgg/IbSXobsScpE/Zq+6b4YX0Vf9ezHgv1xI3ucVCGoTR0ne8CCfQcrnI6kSVBxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0A11h1Jpqs7wgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8RiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOI7RUsKlsyu7AcwG6Z8ckillL0wjb0CJwl63AvmImx1+GewszUzS68sO1mPLmDBGVSbCCTFdwtp/3vHSwBKShZQHBPuG7eCgS8AAYuknCMrHQyj+gzdbGVKf7BBu7IqDcbnrpyv0taIcSWjLtkm9+LXEx4jwittaob0/xgcE/yEaXuSviba+zes4gufjqtAk2s/7oaFLXrXlimdUvZkn+FlsbwALBDWWhIG/lJ7GkF7Eg7sLbulrxFG5XKjGcEc5UzfPkelgpkozxE15ElYUcYKH1N7ec+H3tXZKFxQQ5VGJdbQxUtDIwfXi4DIorBSTHaC9sPSGmrITnXPvQcPpfG1zjDBw+TEN5FFWQ3vYIJjw2jNRC7XPp+WSEFoaZ43mRSjxBhsc15xvkFfKsyd8zOXBWbCSw3RWojLkaer7fWMpS7t2LpVCd8ycUtzXwtUJ6JjDd4pb6DYT75pUDtj+a6D44OuEElFXXuyk3NL9BGo0YORVg+C12+l97yim2G7niboTFXB+oOdUrtY/ZqAreP/3Zr2j5E17Tnj6e94s+VfYLXmGiuaV4SiOnJEw+42TRXDPAu8pskekRtYslab++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoMz2tIvRZhdiPNMmdaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYTe26nqws790Qcn/Kphn6dH/WIRWcyYaPpmtx8sXzaq7vF6rZiq9NSevrY2AgiMe/ymCZAGrsS5W931ZBz3lDoLLrlrvCGf8zJfXaD3TtI89Y0bkJu254t+LW7Pwnq1c0A/hC+/5X6+ugCS+pK3RkwMvQfdiJxLA3RbOHNMZGXBmumwkbrSm5S97LtRXV+g7dSFnX5s4YzvCbnGkv68WRhdXezVZGP55/ZoshaxlyLfarRn6NzVZ/p+p9x9sFubBQRV9xs/fOPdcbPKNJWb0jSPUSU41Y4y0j0oa4lWWDE844MqQNeUgQlUcjwiCDQVOml/lM6BtlVVt/KZlVRWw6jrC5k955sXV9d9HRr5lrHOozBWl33kQMGDayG3kRaHJLoSBt2whcAgLEZYtJQqZfPaJwP5ZZn0utbdJHR1hP+0iLTuMnBZLgOM8/63j4gJwqucWnHmB9nan5+hp5d3uCg5fY2unUPEgQXpfRb2i0BkbvLYJjintk9LGDOmb63KfQRe9yjFa7kx3/un4QPTtztCrkaxxYKqdCPswiT73I4FeBxAO10qqpeS55Z7nK0+Mmm0E3qfwLMwjL17qfz0g9MxnjXNOK4uwmUkB0fniSzKbOK8KzgVn3sFY1ydf09Xs+8sOlJAfeocxs3IvCJjVppXSx8oa6yNeSMtpYLOA1au1/iNTInDKl9j9TAZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNVuKeRszehDrRXFOnpusDbYVLEU58YfhRl/MLPDLj6Td4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTXwzn7h3znDEhq1gxzlYdiV5Ev1NWksZ0Ogw8sj9FBpy6M2OHJd5wbuUe0hUhVOt5xdGlXR8RmVNtWaJu9hu2LJjI6V1kAnCmzXGa54myBRYGU0zVSMyogvhmgRXjkMET8OC5+LtYIAxE/M7+NrgzkYAP5cw1F3ogjdivjp42+ZwlVbr0RbdOwgxI5lWEbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGRlWr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTmdYx8C8p0v6xi+z9a0WvGKKo43UMhlpH9c0dPAjbQfgNXtf03ndRW489Vrw0wFjRlRcGNb22DYsOnU6xo1itXy7xAcG9MEsorIorD3KQ0bnTvoiLWSfUslVyx3/rO6i1xB9WgiVC7J8YHG+3vLfmF8qzWSdl5eWDW4KyHp6WFkfb16Wln/h5wd6Xc6env/IWc+ABO+XSVL1zj3AhKK3cnfXF+hq4FC1UYjWddaX12yG4OIhV1NNewiqiF9H3+Yz60OK/dORGQzmaeu+BpU3PWVDo8LsriMqEfL+N0SXMhggsrzlgvYlw67BNomHsIWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n39yXXPqQNRkKxxR0nV9iK41K8ZDZW31l2YdiVuTOAICXrF865DpKmuxCvMOB4GMlDjCkdQXzmnSo1MWnB36Bhff7y4mzdWCt8AygVgB1vy6QaaLc5GJCIrslmV55vo/hlWZFHrgFpwK02Pa3S+00sVH6JiMmKXg16JXaarKQoSmG5nr7qeq7jKmWkq67Z90TxGocF224oNJ0q24YXdm3RZYrEpuJrMKj//fIme+lqJzxW3uvKMcSjggDywy7tSavvNZ+i7oaNB9KMwt0KuRccQ0pRU0Mxi1YU+MmmT4AlccP200PO6yv29L016SxeYbNCnUXONs5nCD1GU7xfukJgJVGAm5goXdGc6RokVTO1N3yeho1xew7LovcxdcvS2LWAr6yyAFNqjfUGqgCVEKgup2zfuPV2jXysBpuQ7mVOOnjKxOvv2OWKSPEcz+3/U/h8WmG8002ffhuOLhpTZnOPB5PzYOlRXwz+/RrAo+LpATm7q4VdyvrNRg5FJMXV/nXk86zYImirLyEGEVkVcudvD7PO737Gi6KNLAP7228/vfn/z4fLbb13O7QorzEZ5ci3VbcyS5b0X7Pd6wXaEbdQJhkVsJcLX7MTtUtI8B5jY52KTwISZS0WFZiSmAGm5khJgXMT3ggTiA7GAZmvMhsOJT/YOQO/z2EDt9Yldoq6rWaJLYWa5Nip25TvUaydziLXf0mjvaF3zkc5Jemyxy3Yw2ECl8cUm27oXX+9iQczZqKOp3moyR+yxWw12Iwpss1/eExbKR/cTvL/jwiLv9f8Pw1W3KrOb/PcgLJa3fPQekZ1IPghz1HHcXfhJOUHSVudkW3bpU9NktNdZdtAn8xm43Qacuz8yXbesZlPEw6Doa44Zt7Sum7lce5lxddGubYNOXNYcNHQRaGEwnlVY51xnVkU8Yj/HJF5DurWvPjqXRVGJvidqgJ04rnHTqdi9p3fm7zSsUze46eM061Nxu8Ei/3cZjpptcTPYsGMkw8nYDRfuIKcrXTLCZLQs0akseMB+jZUYBh0eO+paFGUmUwnjm/fvrtFvzo+6TUoNI/Jl0lSCm/98i75UVI30bq24yBTtd+pMm9zQcohu0Ie66CyY1tVo6STiQ9oGKmOPEbBAy6McR/ugmkBw7GS4efwBDZhjVSQ4LQs2gXsBlxELkBugVR5tKm0HZtxuVx3QOTZ9rfBUuDMqyLLAKlZZSQN3U+LB+OKTo0+YDNKposDMltF5gdB53AKqBvB8Aa2WEoCVsz8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN5bgGeLcvWTuDPL6O87ERkxKst11L7rLegW8nGRpwMArziOLjFERsWCiYhFkUPQKXKjRTbP9JoZEl1+iGzO5VrjIn7uShu2MKt00BNEXYjImEgpTpgoqSpmm2gJ7wPYJblNA3yFeQpeYWVWKmlkFj8kBdBXP2XgcYwPmye7m1wusjwFsS3g+PlvRGQFvsuMieU26AK2HM1pgkehYCIR0kykQ7rkOuMznsUOi3Zgf58QePTO4C3YsXshtmHHruptw/45IexXCWH/a0LY/zMh7L+kgW1kyfGMphApDfT45pnIioqD8j3bJHgna+DlbQK9pKg4WxRlGu3bapmYL2InIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1RldlglmkRDRl1UlMVSONNT3oXQIRYqSxhlkq2GDWJAFeCXYnsJCakgRMuHplqZLoUVi9kqVZUpwncKvJoswIT+DDtoATBEkArpptTHy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wggqyiZh11YYtMN/8SfNZCrxXGbQBTQLZtYNJg7VLrE0CfbYoV6/S+KB1NmPmL0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0WYGqWzs8f3znigIPalwS46yYfr4NcC/accZrChtHZPMUhsnnM4uwu4BS6gc5YCUmKWRJRx8rVT7k25aCZfyTYWpEksDmb0xRmjAZHc0FzFq1gtAubiTRcUsi84lQTmYLaHjhbJJBNstRrbKLO/G9BD2WQRwGs6IJpo3B8T8gWdgKNT9EyFalVMlpr6ESuEslXl5nvWDwBdKMoLhIokq4UKBXa6ZTr9VIynbkJs/Ghb7DCSRg8HymEjQF55ebbx4bLtMEi+pzjXJtZpWINC6yhUjcrKAXUKjqu8fXouiY5NliY3DCPP+z62E4Du2AucJ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SkHm8jZ6e6ZSx29ZykpdKhYZKMeGmSp69hlngsZrsbOFqqNO1GngQvFtfLcWl67raTbnMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpKwrlgkucClVLEFWDGrFimuWcE0SSEWCp2EYVPMgRDUQHOl6HCjy3DXADp2xp+DGjsdT6zXsS2QJBVl0g2Ajm6JyviakVRskQXmcZ0Mdy2oiv9mlZkbyhsdbNTJ1FuwbsRrEiZLULjpZ+LEFgYebGxpUGbOkRQdXay1/TAjy1h1/gPQ9K5k0QMBJVXFQmFhBj13Y0BeJwEc/+l1ncg+fepNAY0AWMlFhnUZcWBAG7TCsaEqinkK/U5RAnRwXUcTAY9PZAs5bgvXFmSp8gQYx3dk6gS+Ye18wwnyATSNnQjgBh4nME40/RKfAUINWqNBTWBKabZIIHh1GdvLphVJcQ8UyaMr0lqRUFfcCIBNvBFbbZiVjt5Vc0VE7EKJ4LTYU4G6Jp2xt28WJj5bOaDxI3rNTM/YcDdl9G6tVT5LkodeKZ7gLaw0VVnOYle9JxlbUUeGUpDBEG1wEdsbvMqY0AbPE2gGK6ZMCjV8VYoErZuMVJWI6WYNtUULdBR9UxmJPlQCDZZuskcSDsv7jDnL0bmiOTPoHKvcdzPU0P49jI6bnJWQSmMTQgEMDNFH0N+ASI5CpTpNPgQT6Sh3WZRcbuhgsOBe+s1lFa2p94E8ZmnofEYw70zRBb1DBe43WtjGYsWi6g8DSY4kZxqGM9Sr+6OHBkpIV2UplUHDxqMIrZfYIGZQqeh8jBVOSMu9zxCKEOG91dGggJjwnd1H+kJzJlJP5G+haldr46mRkQtqllSdbb+vl7IavGgICbqiqhlHZCQqsdIUvaMGw0Rwd1dxQ4Knb+VCv7h2Za/P0IUf8fUcmWVgShE0A/5A/ehjQFug99T8zoygOnzOQ6ZOQrw5jOxubhEs7jarKVZkecYEC+IHM3cn6K/dE58wCwOSIV5wXAmY9buoYI5r3cQ93MC91699x57St+Nu9tQ04fbzi0eMfXsQWcSapsM6r8Ky6CO9M3ArxtwFU0yjHhFI28F172FCteAjEy+he27CceDQP1dTgxT9UlFtdjTtPj5b+f698p3KAGN53KpOYvc9Uk3eadedsgsnhxHExjp/hw7t+nVw5zFn/++fb2gXu7qohQKsHeYNsBriJfHek4Xt4zLDmiKXrt1ggwa3qjkl/4uHwVc0o+AbzKVy7euDZEQIa6QphXFnePe8KoWFxmSC8b6DDtNuaQFq75ZpSKVgAtoupEuqCubUjamQ3i7pBnOwFeN0QRGnK8oR1pothDu47bz+MOtDS+YHlN+w/g5Onz3IpGeLWSXYl4r2xyTi8OVr4Xtcx8TjpqDUGg3L3YUkUggKuRVozcxyTFAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDCCObIYjJg+gMXDYgdLjYxpfDjalcuNDqPXSmdby15Wa+wHHnOGdbaUyW0CZ8Q15hrMUtkONbJSsT2CJ9wPALlLY7GFN80PYiGcYnX2hmtpDfHOfbuAYDn61f/iDL0Rm+ZfA+gGbHktDML5GZFFWRmqwmI4iRvfbiydefZN/yxgxmLnQJj5Z/Xy+x/+Ym3fi9Zx1BT7Joi259MsbsTsUMcN3lCF/rXxyekXHg1ALnzrY9f/pOd5scW5w/U7z+PI5OV9su1Jf2CKXecMvf/t46XdO1XUOU/AX5ozTRQtsSAbq1V69Yz3c0EQUOg5+vjuNboS5seXz9HV+4vL/3qNPl0J8+on9HS93CBBmVlShchSaj8qTSpFiYFv/fDqf/9/z54EKULNMqGM69MDZOpZgcPjeHRi7rvnNb9xvHhVIxW+4vnjQrotm/ZgfmTDuIMf+BC+PcV0a518ZspUmKO3b94Hkf1TCprOl3UcZ/wfKehZmLYW3a9GhMJG9gtPOILH+AbvOIcFNnSNH2BEOnD3NXqT5wr8tI7LQ+g0Ty8pymPjnKfGQq7O3127V2k0PFZgPWH0o+NUcpqqf7vR1bVFZcT7ZWl45CSIKDS0a4/TsNbEMjdda1oB0UIX5zmzX8Z8G7BtzfIPv3MTMoA1CeGCS3/DL7osMEBlm2udRK879EnD6L3H8Foq04jkgdDNIcAGB8DMZr/k1RPT3u2HiUX9mNTbejdGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFgt61phORIo5W1SK5mi2AZhU5JA1FJYz5ZGtBwZFoyPacnDReYJ+Bzyi7t8u4YruAFC0kIZmPrM7fp5RfNLmQmc4c6n4CUCXRqUBPk/AEvME1cI8xXVI1f+kTEBUnGe1Jy6dWt634O0+zvqrtZ0JD6DBXpolVYIa9HFT0ufoU/2MvQUH2I/ounaADV6C38Y0tXpUzwTKxIhpXCPt/eLPEeY8qEyU2y9CghtWkJi3osq+gUwYibSBx5wJ9OlqVKAQSJBNJq+ii2wLVJYJxr5ZwIrq2Bm9FmyCEhf3IsZORQd/ewJs3WiFjFOxiD4pEnC2ykdCLXREA3UqD+atAIxABNIJ5gijX6RaY5UP53Qj9GYByV4KYXvj7yCXbkbNmlIRVj0jd028b4xbGszboTqHDIKW8ZAZMdghEz7PFdISCmasWPIjNsJbXHEspojjH+CgrBNEWi7KwQa7LsttJGVlLdgFGLDdlyd2pJIS6EKwitcP7rCIPVaGkYpjhaBfNKqReHp59/qtXMj5PDz9nZLMLGny4+0g+9Eu6G5jC+9Li7dF901lllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxit54xM4GZDjE2Suajbk7OZow3uz/QdIVRklw47MW4lIhtMcAIWLWu59ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrkLgWecSgim6Pz3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekR/OtFHjwc96T8e03XqwPb3cvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eCJx6AOZK1jenc/GGv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t293Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gGiJLjjSUYODf+10QOHXkpKJvU67YjqfJDc+2stIjv4MpEn5L/Ofv7+e/T07cWb62fogmnDxKJieklzKIUP4sLlQibvC7QrEgbZsnOHhz9m+OJIxpiSib2Ku+o/7amGMGhuDHjkow19vs91IZD239T9thx/gFMoZopFqE36NlMM81jd6Xob+YBzVmm3ApIKaVYwjpUTT1Zs2jtE4F0Pl1fBPdcsn7LTSDtT/pNlhNqL2OuLub3k6eos3ohddx3CGr7SsOX/9U4i+GTAC95xQ1tlGXnYlSlVysSAQcgGSC3VAgv2546sapGOFQ4l9hGUbvPUCLnnTAVrSRN1/fnFLgevhWvx5XoXdbKaf6WYmyXBiqJS0VwWTOBgwV1LPF1jw6gwem96PMdT7vYtftDNutaPtEzEuPbqPLGCq8TKQDOk7VZ3i9UJmx15YXOIRJ3TnCpsaJ5FSyrbwR9W+PxSr9gEz66VXLG8aR7mv4fLkntNdcAYvvmPfda6Om1YwdlukuUT7bJZ0vf6M5uRbQaHh0Lm5Iq56Pmyr7iPtIBrlM6YQ8Hvq3nSO9CZWj9qVUIvAht1OiporFgjbaRyEt9CK6jBsNoT+NaZ/daT8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efo5Jje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU502fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/b14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJ81CdoM+THV4Quz2H7zbnBj2FjrBUkO0zBKHLZy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Stj3cBHe5mGoddEzDons02IdMdw+CEwg0p9hc/Q9lAzJGAoxVusOWczpnwvnoQTtDVr8DlSNNBwO6oQrFEuG0dMD31L7ZgbHy2qffueymN9KZsfNjGYLIsJm6Bv10VCI4G1lH7OJIMeZkxEW+CWNS7YbcMRYVpH8+AkGqX7cCxuDba2/L+wNTOAdZp3749WJdY1Txl//x8u5X1kg1aqSN7O6wt65LfD9qeiT6zxLW1kGqT7sD/qkss/ra3Y0yNSLeLeq2eh54mS5a/vgDoe/b2YCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew/PZVFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0AXXPzjkYRGVNZxmR8pY9UND9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75M/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKgnOtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tUL/9/nHoUX/j98XlPI7Y85VeHsPL+dB4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Sxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+npOYx+fIbOYf0walSZiZqljND5nCo//JN2sjB3NOelSUPHLUK2Dtwu+kS3OkXvPGn257Feyfu3RgmfNrphf4a9New2kUy5+sclEnQhDXMHWC6xHpkApcnUbYVaR+kWHx8uaI862QSoQYJLj8fqxul1/U04IUWzxRQVFd3+Rs3Uw4+jg5atNGFaV9GVToAMyVLpvHWnxVAAQ6pUUh/o4FDa0vPSLo5uIDi9SzpNkiHRdAb3UeSnN5DaufsxaknP45C8v/TcgeO4CNWaZ6uUL3o/pOod2UFk8syyHq6it2nUqQCzW+ot6kTNDb7ZjitpP0ggW39CGuJ1UqGrmzf/eHeNru07hX4TI9NXttgmqqQ+BtuPaxnGFsQQWVJyq49yIh8mhNP2IAsNnWv6dTYtwiAN1I8g3ErBHVouVWzQFPIBlFyHR9MVZNRoAJwNNtVkEz7bWK4wZ7ljxAASfUE4WVfrXYIQKHZLN7ovtiNxfp1AGhn20phSZwxm0CYBDUeZgiAEP4LbxBairnyRipnNnhtFZFEk7RN3IN4OD+8QCpfgr5mivG9pxnaxrDkWmdYPNfDWruxk+O9+t3WNVhBbV2qclZJNkVYdQthhgAADQCpsDQBZyRILMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fvnnv370XveWbB8VI1ff9R+/ZxvRttpK8SkWAN/UcZ+Hn3DSTsetxvpVgRqOnDgn9DLp1QGFvPVG3Bx4B0sHd8CqRNHvrcf0kmPHpAmfdooMVVZApMK84IlIQWhprKN+4Mxxpr7Bep5S+jvDWYK9HaFtES6kMkpa+v/77m1AKbpDssflOqsX0CZb9AoOOi3WGXbOTYKOYv1/+dn11jd7hu4KJvBnrHT5Wu7fJ0zA7QxRHtuW3Mdjdrm016lO4ZDF6erarcszm0xVsPnQRfr3l5GpHx1nmpfLVhe/S67HYiSGf7lAeuFdAvePiv33dcFOYI/KhJhn7doO/xJrQD5Td6MdVgxXfBHULV9z7HOkqkKKONfqrNkqKxd9mHJNbzrSh+V9f+L89bz5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPGsmaZ21rv847iP4Z3TOa64yeBOvEZzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEGJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnr6Vi70i2uXVPtsAP7Cp4Nt1QqMPlAnLByHixaaI51k6CqJC+e0aHOhF2mVZ3/G7/w9v7r4wQdcXNu3rXUNPQHuMDGIy4U7r2FfG9gdTLL23ALf0925Q/b3/mDPRjljAPooTglxxgDyOKeMHslq2jN5+f/OZPeZ2FXTHMhp11fO/siCva4eDXarVKHS01BTNGVW7OlkS3X/T8MMbL90BfenIYernJkM+lE/RvS6htMjQmwZcaJuVMSYOA6xtBpTLTkeL6fl9KhhsWnJNqc0T10EMh62aLdNdI0kaT7QQwZKwmlWRE8PGUDfY0WMU3H6OvP+YNwg+Ry5BtuMRD4UoOC9yUemUKt9dKBRo1Wzf/+nTdeoPZeC2McBG/nYLdsRcQNN6hKKwzZ1z+0yLvmldZ/fyoUf6+qrGKCXnDVBFPWCarD1ObujOdIUJu12ftxdQ48bLPUhDGCfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70SBii4UdfPlrnVfqOZL3OVJT0XQe5nKhQ2zT8iF9PfRlxzDY4EejhL26Xv207Qc4ct37xB3s3sivlbirV6nJ++r/XvImrn3yNO7LBedIa3vLcoTRgq2oaJxkX68iYEl0nP8irQWSP0bl7+uIaIw6NGS5yRT9kuCs28FDOGDYt2/md+l7il3DRXruvdkGuwprgocSZEbr5NFPV8L88ApJhX7hEpsfX3bTvIgUc7ao1Hh+y3bfx6i7X/G+IQz6WMsmwTKeoGfGWHZMXU30tTsYpFpjlSdT6nZPqncKyeeOvoeRohwPU9Nca1X/iHq0fTNM4FS97fIhFVswgXn9m662socOqfSvHYkRV9efXwVIgILdZFEEEjQYDakc4/XZMupQcTz29VlSnCcsr++YdrAUuro4JUrq8G0HSwHMcbHSR+1k4yRL7mfDTQ7uVtGCi2JNl3PJOfRN/RoFsKXeA+TcWJ5jGhFHuno8XEtRfSuH4yzGCf0ILb6CzB6LqlpIberCvdlmcGjNJC4LULOi5Bt/TvbLkMxMMVkizXKKnn6PzFJV6OXPPz9Da+xHCdWr7KDEo1BeD6CEn6uTjBTkq+EKN1Sl9ik0fVftVdZBCOgpnskVbRGDhUt0avGmjaK4GL0/5KthmwcmFc3ZUU0T9hHqm5Dm2DgW2BwxU/f9AZH+wrUJrZEejrP6J4J6kQ1V6CW6FASXuuK4aVZ2L7kegn5i8COQWxla5ceX6N/sdp+jH39E/4aIVFZfdj0H6mFq/4Ob/2W/yDTqEiXc/kLInD5aW1esaUYw5zNMbtOXPuVUSFOPRgO7whKxrnkB02RsKh0wR/JmRsAy0HAbc8DYzbE3UlnNWmyc1mE/aDWjCCGF0FxWIrcvDIeBDBo6AhyWvNi9EQPIMWKB/jrsCBuNnMKGS5w/lnfOo4M0+xOGUSpGAlaHN4XbXwZb2D33tRC2zz42W41WzutjO0O/yrU9mqHNyQSSyhpjRqJbSss9RHsUL95XQjQ3mCJbpRx4fllLHhhL5eZTC5jE37ILV0zByNSri67vXQRcHO2Z7kAMtwt/1a8ukLLSWoNDZThbZHT6f0OJZPXMD06J7jySkXy5JKGgoeDfNr/6AN3wmxnNRFHsBwGNCEr7vzoQ8xUEXvxKmS45S9295NGa85qlKoQ9MUX6uKZRh/I73Dr7BtQTgTzX1VaLf0L+e0QYnXgZjAuaJEYPI4CkQtfnb6697kuwsORhRSlVX+NF8ER+dWkQ1eNwf3xyTxUY4qFRt2hoylfbn2wNdqfngGV+hl7+/Aqtge4FxQJhzsO+grr6eY62/iO0poo6sNggTrE2SIpeuUiXiA+uJn7dRAzc1RRhW0+736XKgXCQ1UTJUkguF5t+IG7O1ECLRehnRJZYYWIcESm0L7JYuAnuqBI+p4d3fOajFbWxC7pdoD5lEGHXtAVrURRWyZSiDiMovB6VaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcjibRYbPwdhBpi3WDzAvO5hR2HDDwNSVS5CMK9va4M20maGgf2hATRBYlpybIAKNOVAwK/HijaW2wMg/EyDd27SA7j7FylzNH2a+QInon5HyQIHFy0wORPxDhL0WeguwW5J9SPFD3nHr1WsV06bUf+xQeiKhkN/oNgmHcfgS5b4dbY5fvygMLnO+pzLbpjwI/HaSiRKqc5uneQZ9k458p3axY6xh1pk3zxXZ8ffhaKVmcAdQKivI1oQIrJp1aX1TcsO8MowrhsuR19cu2l02BBV6ESnMR4hDeqe1Fh5TDVSNmnmgk18JFxgwuyr5n0GNcT00a3j6jEVkya93InOoz9K7SBsykNlDXPWskLxcbeuQh7RRg87nFe0Wn0ITgkOsFHe3c0DRBHENgq1rnbMVyq9kAP4QF2U0tyD72iBfe5F3J1GQ73J6niwXdWU5khm/cZrUVelZfs0gBg+72jUY89D3dvmt5djZYcttdrYotgYroozgb+se+KqBBfqloNRkrWe52XLSVj2sMY0+rdgOuNpolIBdr1END1IhKQYegCWTaojAJXt9FkQLXMkuAapml0J7LmKKoCzTWqI8t1AS6UusVeRgTsmc+Bt+YwXN5rzfnWLG5T64dEyzYPhC9bgixHUGYDJT4GIq1rvgDNc2XlSGyoC8cDo3x4ge4DDgEC0+CjgE5wiB0RRUzqVuDjnWf9qv7IsCx0aQ9l8/Eg9vcK91UulhoEHdyo+63hk9Yu3XBnLGeKl5XTp/NFDiAxsXI8sFk2GYSbBDv0BSZhIfwuWulty1BqdBvNz41luk6IaDvV4P16xMaq5LUpdQsouA4iLfAnBb5trtwc3dHu/BU3GTpWhfdUxSJqqCKkfvKouDeJpr8fEAlW3MznFhy93uwtRUVOcxJ3iu35OyPB+heU4d25XA6bRux9LXgA3LDPOCdiDlJn7JX3Tejk2C9mPFeriVucouFNAg3k9TCCbRcLrI6UeVBhHrNiPcW6lP0TOnIvr9DuhV0rR62/W4Uf8kZ2UwxbWdELlwDAr65tuCbEblc8ZR502ECfqh88/+wOJXC0LvUGmuD0NV2VEBdXZXn2v4fPKqY1wiFGsDseZzJEosFzQRdp5YFY4FLum6F+kEJMUaxWWVoS0IMc/S1Q91q6+3nb2QocYmjCbuGcnwwoWOSmwOGYD+/yCHT1t8Cxi1UgFmC1Q0H9TbnS62oOkM31B1Kpak6wwsKrbx9pvtcqhqHAewajNPbCfweud+3+lZIhWZKru1n9V9JPcfRml2j/aSv8musTGw3XQM4tkfF3yk5qA6d6k5Jnm9nkCa6UrKkPqCY6i1+IxDmVJkmu0htF/V/c+EtLz5aTQAgCSmgMOdISPGdoiUFS2ZX9sMUc1G6ffRD01CcHveCuQhbHf4Z7MwP1djKenQBC86g2kQgKb5bSPvfO14CUFKygOKYcN+4FQx8AQhYJOUcwYR5RvUZutnKlP5gg3ZlVRqMz105X6WtEeNKRl2yTe7FbzPNhPBKm5oh/T8GxwQ/YdqepK+J9v4Nq/jCp+Mq0OTaj7thYYvetWVKp5Q92Wd4WSwvAAuEtZaEgb/UnkbQnoQDe8tu6evWIEMYXPgclQpmojxH1JAnYUUZKxxrYPWeIBYsRQ1VGpVYQxcvDY0c/DRpWRRWislO0H5YWkMN2anuuffgoTS+1hkmeJic+CayKKvhHUxwbBitmcjl2ufT+mmTz5tMilFiDLY5rzjfoC8V5s75mcsCMz+IF/ZdL8TlyNPV9nomGmA/GA3HxC3NfS1QnYiONXinvIFiP/mmQe2M5bsOjg+6QiQVde3JTs4t0UegRu+3m4fC67fSe17RzbBdTxN0pqpg/cFOqV2sfs3WmLzdmvaPkTXtOePp73iz5V9gteYaK5pXhKI6ckTD7jY3Uz8LvKbJHpGbzhj//vvYegDtCzPqF6DkVh/VciCGx9ivbh+6JdbL5oZatTBQZViRpcv8rWtsmjLD8xpSr0WY3UizzJlWxP6q+few0hRZeS4Qg5y7ShBOsbJ/gkZ4W9R8AWE9+bUu7NwffXDCrxr2eXrULxaRxawZ3zvvPFi+bFTd4/VaMVXpqT19bW0EEBj3+E0TIA1ciXO3uuvJOO4pdRbcdINrnZf56sKP4EZPfeOGejalK/q1uD0L69XOAf1QA/69+/nqoj3ftRETQ+9BNyLn0gDdFs4cE1lZsGY6bKSu9CZlL/tuVNcXaDt1YacfWzjje+Jxx+fNwujqYq8mG8s/t0eTtYi9FPlWoz1D564+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+spLIaRl1fyOw537y4uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9c+Gcgvy6TXte4moasj/KdFpHWXgctyGWCc9799REwQXuXUijM/yNb+/Aw9vbzDRcnpa3TtHCIOLEjvs7BfBCJzk8c2wTm1fVrCmDF9a1XuI/C6Ryley4353j8NH5i+3RFyNYotFlSlG2EXJtnndizA4wDa6VJRvZQ8t9zjbPWRSaOd0PsEnoVh7N1L5acfnI7xrGnGcXURLiM5ODpPZFFmE+ddwan43CsY4+r8e7qafWfRkQLqU+cwbkbmFRmz0rxa+kBZY23MG2kpFXQesHK9xm9kShxW+Rqrh8nQG3bVt9IV+4fIbmKkNfJTK0QxeodJ3U85rNxaETSpHSPFd7WCqnZLIWdrRh9qrSjW0XODtcGmiqU4N/4ozPiDmR128Zm8Qyx/Mf5+2Ze1mgJDi9GnQeNjdxcsFuGrW79jiafvDZj8Yjh375jnjAlZxYpxtupI9CL6nbKSNKbTYeCR/Sky4NSdGTss8YZzK/eQrgihWs8rji7t+ojInGrLEnWz37BlwURO7yITgDNtjtM8T5QtsDCYYqpGYkYVxDcLrBiHDJ6AB8/F38UCYSDid/a3wZ2JBHwoZ6650ANpxH519LTJ5yyp0qUvunUSZkAyryJsE+LrDk/PRooMnZtr+B6nTihxyleT5OV9Ve7b9kPMhEY5NZjxgJNhJivT+t3I1iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cNyukc+xCQ73xZx/B9tqbVildUcbyBQi4j/eOKngZupP0ArG7/azqvq8Cdr14bZipozIiCG9vaBsOGTade16hRrJZ/h+DYmCaQVUQWhb1Padjo3EFHrJXsWyq5Yrnzn9Vd5AqqRxOhckmODzTe31v2C+NbrZG08/LCqsFdCUlPDyPr69XTyvo/5OxIv9PR2/sPOfMBmPDtKlm6xrkXkFDsTv7m+gpdDRSqNhrJutb66pLdGEQs7GqqYRdRDen7+MN8bnVYuXciIpvJPHXF16Dirq90eFyQxWVEPVrG75bgQgYTVJ63XMC+dNgl0DbxELZgeRPKGXHiFbGtxkEZeISXP56S1+y7rFI+U/V07+tPrntOHYiCZI07Sqq2F8Glfs1oqLy17sK0K3FjAkdI0Cuedx0iTXUlXmHG8TCQgRpXOIL6yjlVamTSgrtDx/j648XdvLFS+AZQLgA72JJPN9BscTYiEVmRzao830T3z7Aii1oH1IJbaXpco/OdXqr4EBWTEbsc9ErsMl1NUZDAdDt71fVcxVXOTFNZt+2L5jEKDbbbVmw4UbINL+zepMsSi03B1WRW+fnnS/TU10p8rrjVlWeMQwEH5IFd3pVS228+Q98NHQ2iH4W5FXItOoaQpqSCZharLvSRSZsET+CC66eFntdV7u99adJbusBkgz6NmmuczRR+iKJ8v3CHxEygAjMxV7igO9MxSqxgam/6Pgkd5fIalkXvZe6So7dtAVtZZwGk0B7tC1IFLCFSWUjdvnHv6Rr9WgkwJd/JnHL0lInV2bfPEZPkOZrZ/6P2/7DAfKOZPvs2HF80pMzmHA8m58fWoboa/vk1gkXB1wVyclMPv5LznY0ajEyKqfvrzONZt0HQVFlGDiK0KuLK3R5mn9/9jhVFH10C8Lfffn73+5sPl99+63JuV1hhNsqTa6luY5Ys771gv9cLtiNso04wLGIrEb5mJ26XkuY5wMQ+F5sEJsxcKio0IzEFSMuVlADjIr4XJBAfiAU0W2M2HE58sncAep/HBmqvT+wSdV3NEl0KM8u1UbEr36FeO5lDrP2WRntH65qPdE7SY4tdtoPBBiqNLzbZ1r34ehcLYs5GHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrrpVmd3kvwdhsbzlo/eI7ETyQZijjuPuwk/KCZK2Oifbskufmiajvc6ygz6Zz8DtNuDc/ZHpumU1myIeBkVfc8y4pXXdzOXay4yri3ZtG3TisuagoYtAC4PxrMI65zqzKuIR+zkm8RrSrX310bksikr0PVED7MRxjZtOxe49vTN/p2GdusFNH6dZn4rbDRb5v8tw1GyLm8GGHSMZTsZuuHAHOV3pkhEmo2WJTmXBA/ZrrMQw6PDYUdeiKDOZShjfvH93jX5zftRtUmoYkS+TphLc/Odb9KWiaqR3a8VFpmi/U2fa5IaWQ3SDPtRFZ8G0rkZLJxEf0jZQGXuMgAVaHuU42gfVBIJjJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaTsw43a76oDOselrhafCnVFBlgVWscpKGribEg/GF58cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9KCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1StLlUSPwuqVLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epXGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP62S4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8WeCtQ16Yy9fbMw8dnKAY0f0WtmesaGuymjd2ut8lmSPPRK8QRvYaWpynIWu+o9ydiKOjKUggyGaIOL2N7gVcaENnieQDNYMWVSqOGrUiRo3WSkqkRMN2uoLVqgo+ibykj0oRJosHSTPZJwWN5nzFmOzhXNmUHnWOW+m6GG9u9hdNzkrIRUGpsQCmBgiD6C/gZEchQq1WnyIZhIR7nLouRyQweDBffSby6raE29D+QxS0PnM4J5Z4ou6B0qcL/RwjYWKxZVfxhIciQ50zCcoV7dHz00UEK6KkupDBo2HkVovcQGMYNKRedjrHBCWu59hlCECO+tjgYFxITv7D7SF5ozkXoifwtVu1obT42MXFCzpOps+329lNXgRUNI0BVVzTgiI1GJlaboHTUYJoK7u4obEjx9Kxf6xbUre32GLvyIr+fILANTiqAZ8AfqRx8D2gK9p+Z3ZgTV4XMeMnUS4s1hZHdzi2Bxt1lNsSLLMyZYED+YuTtBf+2e+IRZGJAM8YLjSsCs30UFc1zrJu7hBu69fu079pS+HXezp6YJt59fPGLs24PIItY0HdZ5FZZFH+mdgVsx5i6YYhr1iEDaDq57DxOqBR+ZeAndcxOOA4f+uZoapOiXimqzo2n38dnK9++V71QGGMvjVnUSu++RavJOu+6UXTg5jCA21vk7dGjXr4M7jzn7f/98Q7vY1UUtFGDtMG+A1RAvifeeLGwflxnWFLl07QYbNLhVzSn5XzwMvqIZBd9gLpVrXx8kI0JYI00pjDvDu+dVKSw0JhOM9x10mHZLC1B7t0xDKgUT0HYhXVJVMKduTIX0dkk3mIOtGKcLijhdUY6w1mwh3MFt5/WHWR9aMj+g/Ib1d3D67EEmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLB4WO1hqZEzjw9GuXG50GL1WOtta9rJaYz/wmDOss6VMbhM4I64x12CWynaokZWK7RE84X4AyF0aiy28aX4QC+EUq7M3XEtriHfu2wUEy9Gv/hdn6I3YNP8aQDdgy2thEM7PiCzKylAVFsNJ3Ph2Y+nMs2/6ZwEzFjsHwsw/q5ff//AXa/tetI6jptg3QbQ9n2ZxI2aHOm7whir0r41PTr/waABy4Vsfu/4nPc+LLc4drt95HkcmL++TbU/6A1PsOmfo/W8fL+3eqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Rx3ev0ZUwP758jq7eX1z+12v06UqYVz+hp+vlBgnKzJIqRJZS+1FpUilKDHzrh1f/+/979iRIEWqWCWVcnx4gU88KHB7HoxNz3z2v+Y3jxasaqfAVzx8X0m3ZtAfzIxvGHfzAh/DtKaZb6+QzU6bCHL198z6I7J9S0HS+rOM44/9IQc/CtLXofjUiFDayX3jCETzGN3jHOSywoWv8ACPSgbuv0Zs8V+CndVweQqd5eklRHhvnPDUWcnX+7tq9SqPhsQLrCaMfHaeS01T9242uri0qI94vS8MjJ0FEoaFde5yGtSaWuela0wqIFro4z5n9MubbgG1rln/4nZuQAaxJCBdc+ht+0WWBASrbXOsket2hTxpG7z2G11KZRiQPhG4OATY4AGY2+yWvnpj2bj9MLOrHpN7WuzHCCxqyG6fy4nrswPLFWkvCrMrp/EYDHQdZuaywWNCzxnQiUszZolI0R7MNwKQih6yhsJwpj2w9MCgaHdGWg4vOE/Q74BF1/3YJV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3weQKWmCeoFuYprkOq/idlAqLiPKs9cenU8r4Fb/dx1l+t7Ux4AA320iypEtSgj5uSPkef6mfsLTjAfkTXtQNs8BL8Nqap1aN6JlAmRkzjGmnvF3+OMOdBZaLcfhES3LCCxLwVVfYNZMJIpA085kygT1ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpF9EmRgLNVPhJqoSMaqFN5MG8FYAQikE4wRxj9ItUaq3w4pxuhNwtI9lII2xt/B7l0M2rWlIqw6hm5a+J9Y9zSYN4O1TlkELSMh8yIwQ6Z8HmukJZQMGPFkh+xEd7iimMxRRz/AAdlnSDSclEONth1WW4jKStrwS7AgO2+PLEjlZRAF4JVvH5wh0XssTKMVBwrBP2iUY3E08u712/lQs7n4envlGRmSZMfbwfZj3ZBdxtbeF9avC26byqzpML4ZPFRtHUVs3PCYQk9bslx1D9pqkYRlpUhclpK+yXHEb6pCKFaj+AMncePa452XOIJ4IWsiruQaoMChQkD3KYQTh0caQ9HK5UgwKdLKey7YuVWSDlsfogGilJ3V6t4/ehG3k2MXNdSqBngjObNfrwfpqcPM4E0M1VAfiIoLqBeRHuoS6wRzmVpXxezpEwhuRbbI3OEM/hOClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjdjYgwyHOXtFszN3J0YTxZv8Pkq4wSoIbn7UQlwqhPQYIEbPe/QRCuHy9G1+vEZsS4wmhM5myeiCw+Rld4hWTFWiXRBalkgUbyVCkUyN3KfCMQxHZHJ3vxo2JVSN2EiLZx7CjdaIgAh0Mow6XOQLBwPoNfqlPt/XKbu/bKNttyywrYfrlbLE1+hzKwDNyjFl/kBYE7/GCCqoYqbcEBIFEv35qATNLeGpDs92QR/aM/HCmjRoPftZ7Oqbt1oPt6eXuPXn1wq2VcF9B07Qxwg0rqLZy3Wl7ipZ0NIjkTyFaU4i9BwGNB088BnUgax3Tu/vBWOvHw/b0Q6ajDTk9eGveYbxvh4O9wY63AuEAYfD17u7l3t2pSc/OXbQoe1P7Ty5aL9VpBMgeOd4IkK+XHX/cf2SxRhtMc2SHyUc1qQSJeccOkB+TsmPMvQ2YsVHqoQSt56eOXrlTmWVWULOUDxAlwR1PMnJo+K+NHjj0UlIyqddpR1Tng+TeX2sR2cGXiTwh/3X28/ffo6dvL95cP0MXTBsmFhXTS5pDKXwQFy4XMnlfoF2RMMiWnTs8/DHDF0cyxpRM7FXcVf9pTzWEQXNjwCMfbejzfa4LgbT/pu635fgDnEIxUyxCbdK3mWKYx+pO19vIB5yzSrsVkFRIs4JxrJx4smLT3iEC73q4vAruuWb5lJ1G2pnynywj1F7EXl/M7SVPV2fxRuy66xDW8JWGLf+vdxLBJwNe8I4b2irLyMOuTKlSJgYMQjZAaqkWWLA/d2RVi3SscCixj6B0m6dGyD1nKlhLmqjrzy92OXgtXIsv17uok9X8K8XcLAlWFJWK5rJgAgcL7lri6RobRoXRe9PjOZ5yt2/xg27WtX6kZSLGtVfniRVcJVYGmiFtt7pbrE7Y7MgLm0Mk6pzmVGFD8yxaUtkO/rDC55d6xSZ4dq3kiuVN8zD/PVyW3GuqA8bwzX/ss9bVacMKznaTLJ9ol82Svtef2YxsMzg8FDInV8xFz5d9xX2kBVyjdMYcCn5fzZPegc7U+lGrEnoR2KjTUUFjxRppI5WT+BZaQQ2G1Z7At87st56Ed1+wPOd0Oin3DtY7VM4Fjrcl946Sc/V4jGm2e+1Xa3UYEps6OvsclRzbI7Pvs1SICqI25ZiXH1IhJ7AnD8igU41t+avUBr3DZMnEiEmX40SS45s+rT8JyPQvFbXiw+pHrsmZPkNvc1yiz/APpx/lUri6038OH0+0xCtqNSdOsUJfKqo2CHoQ6lIKTWuNKlycavebwW+mkZe+Bx6xkBWru0AKt33Xl28cz3pLE6C6ZaAPvjnqoZjClKe0DrM+j9etpTtNjKxt6B9eppGqhAjasfp58/K4yLNrIzVSY+chZt7CTH8QGK2ZyOVaI11SwuaM2E+eh+oEfZ7s8ILY7Tl8tzk36Cl0hKWCbJ8hCF0+a1ELVQLe8bd0gckGfdLdxrdNBLboF9JGz661K0xgsI+89m1TC1CBWjVgMvsiDije9AEIVP93Kk2hnGdIvu620yvUY915nXod2DHsMMho/jdHbHaavN6xrfoMX+96r2XdJWx9vAvocDfTOOyagEH3bLYJme4YBicUbkixv/gZygZijgQcrXCDLed0zoT31YNwgq5+BS5Hmg4CdkcViiXCbeuA6al/sQVj47NNvXffS2mkN2XjwzYGk2UxcQv87apAcDSwjtrHkWTIy4yJeBPEot4Nu2UoKkz7eAaEVLtsB47FtdHelvcHpnYOsE779u3BusSq5in75+fbrayXbNBKHdnbYW1Zl/x+0PZM9Jklrq2FVJt0B/5XXWLxt70dY2pEul3Ua/U89DRZsvz1BUDfs7cHU4kGu6r7re/e1SgXZFQYJctjREcuq9nAuXAQj/s1rbVN95QjAI6uumPae3guixKLTXMf4drBOH1nr6yoss9QxsRchpUCrG9T1wjtkR89K7LGbE3TdkWff0mVI/BLxfkG/WeFOZszmqMLqHt2zsEgKms6y4iUt+yBgu6/0xly62/tZ8zHtPno3Wa34fCyMqByHznCdP9d/9As4afseHe088mfoY+b0m196zmwxHEnOH54is6zqM1ke2hbHJwjQj3Roba1fWSmcNU1ymUXO+dZLKWqvf0QYv7wduTIW71yIrNTTYsy7RyiHaSwK+/13NdoKikTaSJdpOw69jxQiU3YNUlEhnXMaH8LsPLl9JEhV4pHPOYW1Iin0hijWaVieUNaMDVVGV7Esym3oKM/T13QUdMfu6A91ycQLPTOUAGqVXzjxMKPxs2NordUtJcqE1ujcktMUUvYkbkfYVlQr174/z73KLzw/+HzmkJuf8ypCmfn+e08YPTcbaYdPAePa2vU2mA7uR+IZk0qJuZUqZG463Dfk+yrrfjvJX3QPTsBknVf4nnrGAJXCsLaMumVCiwxGftduri9ZbuPkEGs2n/6Bx0maI0P/GTlkqpp/BFWZ/cZT0/PYfTjM3QO64dRo8pM1CxlhM7nVPnhn7SThbmjOS9NGjpuEbJ14HbRJ7rVKXrnSbM/j/VK3r81Svi00Q37M+ytYbeJZMrVPy6RoAtpmDvAcon1yAQoTaZuK9Q6Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotpqio6PY3aqYefhwdtGylCdO6iq50AmRIlkrnrTsthgIYUqWS+kAHh9KWnpd2cXQDweld0mmSDImmM7iPIj+9gdTO3Y9RS3oeh+T9pecOHMdFqNY8W6V80fshVe/IDiKTZ5b1cBW9TaNOBZjdUm9RJ2pu8M12XEn7QQLZ+hPSEK+TCl3dvPnHu2t0bd8p9JsYmb6yxTZRJfUx2H5cyzC2IIbIkpJbfZQT+TAhnLYHWWjoXNOvs2kRBmmgfgThVgru0HKpYoOmkA+g5Do8mq4go0YD4GywqSab8NnGcoU5yx0jBpDoC8LJulrvEoRAsVu60X2xHYnz6wTSyLCXxpQ6YzCDNgloOMoUBCH4EdwmthB15YtUzGz23CgiiyJpn7gD8XZ4eIdQuAR/zRTlfUsztotlzbHItH6ogbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKlliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+zleRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XOOsWHayogkyBecURkYLQ0lhD+cad4Uh7hfU6pfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLaZPsOwXGHRcrDPsmp0EG8X8/fK366tr9A7fFUzkzVjv8LHavU2ehtkZojiyLb+Nwe52batRn8Ili9HTs12VYzafrmDzoYvw6y0nVzs6zjIvla8ufJdej8VODPl0h/LAvQLqHRf/7euGm8IckQ81ydi3G/wl1oR+oOxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/jbjmNxypg3N//rC/+158ykTc0rCH82ZomvMg4oMnvHWbxAWOdISjbClogumjdpYy35KYVFis/TN+hscUB+HAZLglJoKTVcI7eq1iFStLuSNPtlgToVp5aTUeP9RCVZSdabV3b/0UeqzuTXPsKav0YyatuGf0zmuuMngErxGc8w7tcfju+/srpvM/07mFadw/0ustDXwPapa3SG90Vwu2i/2rguoKNYDi/9gqv9twMA9eME1nVaS4UCouF5794TJ4bJe0emD3LV8YJafXzvYfuIwBDpAw/bVVt2MSoG2GnsQGdqIxKVFG5X9BCFSCDdGNjO4b9efwIlbuKgNN8wSviY98LifgEFdJ96BGlxfNAlNUXlCYHOvm9FCIy5HtBDZzxDCJdYluSXC5czd76b0EYpPm/vdGItPqlsjYMbOPW6OIpnFR1WchpIuTrk+igA6FjTqgN6PSeSL3MZk/23OIREjCU1ybe5Dkw4mcWnSwWQ/TZqZ8QOj9gQctlPf8z2rS87IJjIFHNAD9u5F6p9SRGdMJ1Mt5PvhkQSFw/WNBKRoi9AD6dHHKB0y+7QP7Qox8+zHfhbFSeqHa+fHctQCuweDFMvvuZuu6AdaY2SED3xOJz2uHrjLje8BD2IjKzOTlcizcC3SlKjAMNI0ZHFzTu9PFPjdg6HR4ZRgM8RYx9MDHsSGiSkY5RBMWowSmyqtE7oPTdLxySFYUI5LTfPMsJEHJh/6G/dg4EGiDsjg4uO9SE+QpSGgYdOAakPzLAkSDvbhuIxkBJ2AwQBicF0l+QjzHefR6oDbIZgyJogsmFhk0JRxjgflSacom7AEqpdAwyXCVyHYX/MkTIYg992Dsaq/OBdiOB5wLz66miXGSVezI/BS/TSGk6RmG58O5PBtVbxGODIeLcgH4NHhmyVWmBiqmDaMRLzTHfYZWWREUSaVolA/XCp5t6lHq8Z2fcAyaE1nCJZplOn9Jj/U56TQ5y3gw5V6wCK+R9MhcQ+XZhuRuH67Nir7fXaARyqvJqByb7fmAKUE9LmfY7NOY4/HtAOI4VutSLZS82yh+oQ/zWk4ABpcPdcm/uohoGGVnRTluPQ66uQtyEMkVbDh12nuQEg/hXbX0N4T+zHqqKC603l35OmZqRROWwv3cI8tKYNx8pMUgcPX9zmYmevxGNlHVyd4OuD39NA1Gm9Cx2GzxmEebWjtFtmp7KAesL6SlXHGhjZYxLQ1PGQ0gBzGI35s4cCYQlVyJm4zcxfb3+AAI3OHuoB3YaFSYaEOwkLO/ohH/0rxbgeoMYsh7pK9Tl+7bl28heeMm8BYueDi8W1Gv/phpmLd8zTq8nT/PTO0KKXCapPFx2AH7CAucVffvx7UrGd99eHkhcNgd2BAZB59+Q7MsEY0bMB7miZE9rsN66Bu1De1C3HnuvEfdBejPuCeRdU69+t6bsJ+FhrDccKz5aCiLtQwdwXaTJ2UeggLd6EGF/b3LrKa76EeQPi6hRVdUdWfInzambuuYAPAYfK3PG1xeb7tXtvP9tB7Ptho+BQUAOgBqzOR07t463bB7eK+qIyHF3ufkVKSZdSQmAV4QEDMB0e4XIy5I0+IklqTcq8zkt6VUgXKaaZZPc+lztLdNQv+nheulTu4ZCZTw6M/gTKt5MElM6gDPCwMWUEzTWTUt48VFHVhjlHC0DuThgwwF+YwGtR4gOMnITauK8g9ziWybgDncoBmAGuXVLFB79dTF+8B3X8a8ZiycwiHYRBXVNQIHOBbqjilM6xTOHYA7kEPcxp/3318fCuqckZGmo2egIOH258xtRMH1xog3nWocejBDeKwNKYMdfU/JTJjTIk6IIMrg4s1id+FHuh10bgoOc30Er/8+VU8DBxY1AMbVhgxX2NFh4M6TtMaHVTUgRqWRtyVI4fDU/cNVjpo7Z+FnwAqcKgG+iRfkwW5V2Gz74Q2eNC6+1hFeQgvvGy/1PQkO3APT4c6Z53CzF14o2vGTJEwezUYkB1LrJcZl/K2ihddBelhAaMe4HE0or5hB0aInLcty6kZjlg8fnEHFfWgho88RZ7V4alVc0rzyISnND+A8JKQSkXWnQHmQbpzzHIwH6m1dm7j3sKL5256W7CfTCvavq1B/pf/PwAA////yUKF" + return "eJzsvW2TGzeSIPx9fwUefzhJDrlly7b2Rjc7F9ru9rh3JLlXLckbFxNRAaJAEm4UUAJQZNO//gkkUMV6QZFsEqhu7d18mLCaZCKRSCTyPb9Dt3TzGv1RCVZS9S8IGWY4fY3+w/0B/cen97/d/AtCOdVEsdIwKV6jv/0LQqj+DZozynN99i/I/9dr+NT+7zskcEFfI0HNWqrbMyYMVXNM6Jn9e/M1hOSKqrVihr5GRlXtT8ympK8tjmup8tbfczrHFTcZLPkazTHXtPPxAN36f+9xQZGcI7OkNWKoQQytl1RR+MwoPJ8zgpZYoxmlAsmZpmpF87PB/pTG99jMQsmqPHwrfaJulwWsBead7Y2vPrZ+aIntIoVedP6+e4XxAxucyscl0/Z7iGlUaZojIxHBpak8/RVeo4JqjRf239ggIguq7aal/bwHGqG3coEuKJE5sHFgIw4W6yN17HZquHRFhcns1iID9ggnpr4nuQaaEykMFUbb+8GENliYGg0dxNGw4hgEc2z6HwyxYw4nuwTCBq2XjCwRRppqzaRAS2Y0wug9Nb8zI6jW9emfDVij2axeyornSNAVVWhGG74rsdIUvaMGW9QwmitZtJZ6+lYu9ItrTG6p0c8G4C+YosTwzXNkPN4YfaBOWDgOFy00z4KE5HRF+RGU5FL072eHkhe0VJRg4zHJ6ZwJmiMpOKBl8IxTVOAyjFWhF1m0C7PjjN/5e3518QNaYV75G89yKgybM8+d9A4Tg7hcuPNSg4OA3TEL3nMLfM8eR4mVYaTiWMHv/cGejXLGAPRRnBLijAHkcU4ZPZLVtGfy8v+dye4zsaumOZDTrq+c/ZHBRvrH8miwW+FjhF5y1BTVslIk0dt7OtlS3f/TMNMGG1pQYR4jcrjKmckIx707/EjQo8KozWNEbGl1qseIGBPHIZZWY6olx+PltJziY6RHWrLNKc1j2lAjek3Izmx9sXYLWGwGeshASTjNiujpIQPoe6yIcSr2XCsTUVG0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2p6FaNVs3+/Z82XaP2XApiHwds5GO3bEfEzYqlFYdt6p7bZdicEdy+z2/lAl2uqDDoBoQzqkROlTVBFPWCarD1ObujOdLUWCCdH3fX0OMGS30IA9gnGyzNIQxA3+tQhp7A+P6l4xhzsK970OR+NFhKnUhfbfPlr1KbtojkfY7UVORMLOoPdYhtWj6kr4e+7BgGG/xolLBX16ufEM5zZWXl2HXvE3eweyO/VuKuXqUm76v/e8lrqZVeNvTlgnOktb1lOcJowVZUNE6yr1cRsCQ6zn+R1gLJH6Py93VENEYdGrLcZIp+SXDW7eAhHDDse7YBKl+6pdE1XKTn3pttMPq4KSkieChBZhRRZpZUoU9XwvzwCkmFfuESmx9fohnWwEV1gGzOFpUC1W/Pvo9Rd7/ifUMYNJ3xGcG/YH+9kKncbLus43rlr97BINUaqzyZUteSaK1ttyl5df25o+9hpCjH/SNFSG+0oYV/RD3aFtqSOk7Vjnj231KxBROY17/pait76JBK/9qRGHF1/flVgAQe/QElTidBg9GQyjFeny2jDhXHY1+fJcU5VZPErn+FpdDVxSlRUodvO1gKYI6LlT5qJxsnWXI/G64VrautogUXxZou55JzSoxUX6MAttR7gJwby3NMI+JIR3OLaUdRfSv7agvaQehHaPEVZPZYVNVCakh2K6RAs83g0BBS9EtFtbEANStKvvHnZL9sBT2imCyRZjlFT79HZqkq9PLnn5+hNdZIUyqaVXZQ4lEorwdQQpdSaJqOFOSr4QoiK2Ean0JVzJzQs1dZByGgp3gmV7RFDCaCmZW1eNNGUVyM3h/y1bDNA5OK5qzq62kxCPVNSHNsHAtsjpj5Z/Xy+x/+op1If1GCAK2R/udgN/+09uBbvKEKvUSXguBSV9xFVqxJeS+5HoJ+YvAjkFsZWuXHl+jf7Hafox9/RP+GiFRWX4Zd+EWfo//Bzf+yX2QadYnyTfAIhczpo7V1xZpmBHM+w+Q2rQbskBPSwLXBxtkVlohU5KVkwoBpYmg4wRmYI6NKyUT5aVt9UJeUMMwBY8BUG6msZi02TuuwH6wwZ7ljjBBSCM1lJXL7wnAKyDOx8MrR3uTF7o0YQI4RC/TXYUfYaOQUNlzi/LG8cx4dpNmfFBXUKEYCVoc3hdtfBlvYPfe1ELbPPjZbjVbO62M7Q7/KtT2aoc3JBJLKGmNGoltKyz1EexQv3ldCNCUJ1TpbsTzLU0VdL2vJs6CCKmzgkueWgi27cMWUqTC3RnvH9y4CLg5WMGt2Q6wciOF24a/61QVSVlprcKgA0bBaUNN8bS8ltEqU9PTglHCZcLspoZKEgoaC/+qi9r1+oIU0FN14fieKwkM724wJSvu/OhDzFQRe/EqZLjlLmdnwqM15zQZq/6PQzazMTcjvcOvsG+B5vea62mrxT8h/jwijEy9zxh8gRm9XtcbR9fmba6/7EiwseVhRStXXeBE8kV9dGkT1ONwfn9xTBYY4mO4hV2rXlK+2P9ka7E7PAcv8DL38+RVaA90LigXCnId9BeDUBzVp6z9Ca6qoA4sN4hRrg6TolYt0ifjgauLXTcTAXU0RtvW0+12qHAgHWU2ULIXkcrHpB+LmTA20WIR+RmSJFSbGEdFe6g3gD05zgSrhc3p4x2c+WlEbu6DbBepTBhF2xC7BoiiskilFHUZQeD0q00Cy9tRKTEBjdTEK4X0OkpBK1RC1wSLHKkdCqgJz9mcov1eqIkif3Gc5HE0iWc0GT9K9iLTFukHmBWdzCjsOGPiaEinyEQV7e9yZNin9LDs2xASRRcmpCTLAqBMVgwJvFOuJwVa9mTIPxMg3du0gO4+xcpczR9mvkMIsIx3Ttj41Vs7LNsspfyDCX4o8BdktyD+lSN1tYYdYtKvXKqZLr/3Yp/BARCW70W+QoXfGXz60okq3yinyXXlggfM9ldk2FMfa5rZMj0iV0zzdO+iTbPwzpZsVax2jzrRpvtiOrw9fKyWLM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn7Z9rIpsMCLUGkuQhzCO7W96JByuGrEzBON5Fq4yJjBRdn3DHqM7WoWxeHtMxqRJbPWjcypPkPvKm3ATGoDtbcSm5G8XGzokYe0U4DN5xbvFZ1CE4JDrhd0tFN0ThUVxDEEtqp1zlYst5oN8ENYkN3Uguxjj3jhTd6VTE22w+15uljQneVEZvjGbVZboWf1NYsUMOhu32jEQx914Ty30riRZ2eDJZt0MlnFlkDFQJE7FWJD/9hXBTTILxWtJmMly92Oi7bycY01AiTyEb4B5H6ITdSISkGHoAlk2qIwCV7fRZEC1zJLgGqZpdCey5iiqAv0ZXSoCXSl1ivyMCZkz3wMvjGD5/Jeb86xYnOfXDsmWLB9IHrdEGI7gjAZKPExFGtd8dRhpxErSlaGyIK+cDg0xgtkZcv5gEOw8CToGJAjDEJXVDGTsnRkx8bq1X0RYCuys8vlk7Z4cdA70L3STaWLhQZxp5ISNmdbwyes3bpgzlhPFa8rp89mChxA42Jk+bZgonZR5T7IEsTbm81THcLnrpXetgSlQr/d+NRYpuuEgL5fDdavT2isSlKXUrOIguMg3gJzWuSuwxSk8td3d7QLT8VNlq510T1FkagKqhi5rywK7m2CKrYdG2tXsjU3w4kld78HW1tRkUvlE2Z37kzO/niA7jV1aFfO/qAkbEdbxNLXgg/IbSXobsScpE/Zq+6b4YX0Vf9ezHgv1xI3ucVCGoTR0ne8CCfQcrnI6kSVBxHqNSPeW6hP0TOlI/v+DulW0LUaxEdY8ZeckU3q27NDLlwDAr65tuCbEblc8ZR502ECfqg4BcTC4lQKQ+9Sa6wNQlfC+eu2/VBxnmv7f/CoYl4jFGoAs+dxJkssFjQTdJ1aFowFLum6FeoHJcQYxWaVoS0JMczR1w51q623n7+w6NAljibsGspxlqxt5S6igSHYzy9yyLT1t4BxCxVglmB1w0G9zflSK6rO0A11h1Jpqs7wgkIrb5/pPpeqxmEAuwbj9HYCv0fu962+FVKhmZJr+1n9V69rOrNrtJ/0VX6NlYntpmsAx/ao+DslB9WhU90pyfNGbUx1pWRJfUAx1Vv8RiDMqTJNdpHaLur/5sJbXny0mgBAElJAYc6RkOI7RUsKlsyu7AcwG6Z8ckillL0wjb0CJwl63AvmImx1+GewszUzS68sO1mPLmDBGVSbCCTFdwtp/3vHSwBKShZQHBPuG7eCgS8AAYuknCMrHQyj+gzdbGVKf7BBu7IqDcbnrpyv0taIcSWjLtkm9+LXEx4jwittaob0/xgcE/yEaXuSviba+zes4gufjqtAk2s/7oaFLXrXlimdUvZkn+FlsbwALBDWWhIG/lJ7GkF7Eg7sLbulrxFG5XKjGcEc5UzfPkelgpkozxE15ElYUcYKH1N7ec+H3tXZKFxQQ5VGJdbQxUtDIwfXi4DIorBSTHaC9sPSGmrITnXPvQcPpfG1zjDBw+TEN5FFWQ3vYIJjw2jNRC7XPp+WSEFoaZ43mRSjxBhsc15xvkFfKsyd8zOXBWbCSw3RWojLkaer7fWMpS7t2LpVCd8ycUtzXwtUJ6JjDd4pb6DYT75pUDtj+a6D44OuEElFXXuyk3NL9BGo0YORVg+C12+l97yim2G7niboTFXB+oOdUrtY/ZqAreP/3Zr2j5E17Tnj6e94s+VfYLXmGiuaV4SiOnJEw+42TRXDPAu8pskekRtYslab++9j6wG0L8yoX4CSW31Uy4EYHmO/un3ollgvmxtq1cJAlWFFli7zt66xacoMz2tIvRZhdiPNMmdaEfur5t/DSlNk5blADHLuKkE4xcr+CRrhbVHzBYTe26nqws790Qcn/Kphn6dH/WIRWcyYaPpmtx8sXzaq7vF6rZiq9NSevrY2AgiMe/ymCZAGrsS5W931ZBz3lDoLLrlrvCGf8zJfXaD3TtI89Y0bkJu254t+LW7Pwnq1c0A/hC+/5X6+ugCS+pK3RkwMvQfdiJxLA3RbOHNMZGXBmumwkbrSm5S97LtRXV+g7dSFnX5s4YzvCbnGkv68WRhdXezVZGP55/ZoshaxlyLfarRn6NzVZ/p+p9x9sFubBQRV9xs/fOPdcbPKNJWb0jSPUSU41Y4y0j0oa4lWWDE844MqQNeUgQlUcjwiCDQVOml/lM6BtlVVt/KZlVRWw6jrC5k955sXV9d9HRr5lrHOozBWl33kQMGDayG3kRaHJLoSBt2whcAgLEZYtJQqZfPaJwP5ZZn0utbdJHR1hP+0iLTuMnBZLgOM8/63j4gJwqucWnHmB9nan5+hp5d3uCg5fY2unUPEgQXpfRb2i0BkbvLYJjintk9LGDOmb63KfQRe9yjFa7kx3/un4QPTtztCrkaxxYKqdCPswiT73I4FeBxAO10qqpeS55Z7nK0+Mmm0E3qfwLMwjL17qfz0g9MxnjXNOK4uwmUkB0fniSzKbOK8KzgVn3sFY1ydf09Xs+8sOlJAfeocxs3IvCJjVppXSx8oa6yNeSMtpYLOA1au1/iNTInDKl9j9TAZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNVuKeRszehDrRXFOnpusDbYVLEU58YfhRl/MLPDLj6Td4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTXwzn7h3znDEhq1gxzlYdiV5Ev1NWksZ0Ogw8sj9FBpy6M2OHJd5wbuUe0hUhVOt5xdGlXR8RmVNtWaJu9hu2LJjI6V1kAnCmzXGa54myBRYGU0zVSMyogvhmgRXjkMET8OC5+LtYIAxE/M7+NrgzkYAP5cw1F3ogjdivjp42+ZwlVbr0RbdOwgxI5lWEbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGRlWr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTmdYx8C8p0v6xi+z9a0WvGKKo43UMhlpH9c0dPAjbQfgNXtf03ndRW489Vrw0wFjRlRcGNb22DYsOnU6xo1itXy7xAcG9MEsorIorD3KQ0bnTvoiLWSfUslVyx3/rO6i1xB9WgiVC7J8YHG+3vLfmF8qzWSdl5eWDW4KyHp6WFkfb16Wln/h5wd6Xc6env/IWc+ABO+XSVL1zj3AhKK3cnfXF+hq4FC1UYjWddaX12yG4OIhV1NNewiqiF9H3+Yz60OK/dORGQzmaeu+BpU3PWVDo8LsriMqEfL+N0SXMhggsrzlgvYlw67BNomHsIWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n39yXXPqQNRkKxxR0nV9iK41K8ZDZW31l2YdiVuTOAICXrF865DpKmuxCvMOB4GMlDjCkdQXzmnSo1MWnB36Bhff7y4mzdWCt8AygVgB1vy6QaaLc5GJCIrslmV55vo/hlWZFHrgFpwK02Pa3S+00sVH6JiMmKXg16JXaarKQoSmG5nr7qeq7jKmWkq67Z90TxGocF224oNJ0q24YXdm3RZYrEpuJrMKj//fIme+lqJzxW3uvKMcSjggDywy7tSavvNZ+i7oaNB9KMwt0KuRccQ0pRU0Mxi1YU+MmmT4AlccP200PO6yv29L016SxeYbNCnUXONs5nCD1GU7xfukJgJVGAm5goXdGc6RokVTO1N3yeho1xew7LovcxdcvS2LWAr6yyAFNqjfUGqgCVEKgup2zfuPV2jXysBpuQ7mVOOnjKxOvv2OWKSPEcz+3/U/h8WmG8002ffhuOLhpTZnOPB5PzYOlRXwz+/RrAo+LpATm7q4VdyvrNRg5FJMXV/nXk86zYImirLyEGEVkVcudvD7PO737Gi6KNLAP7228/vfn/z4fLbb13O7QorzEZ5ci3VbcyS5b0X7Pd6wXaEbdQJhkVsJcLX7MTtUtI8B5jY52KTwISZS0WFZiSmAGm5khJgXMT3ggTiA7GAZmvMhsOJT/YOQO/z2EDt9Yldoq6rWaJLYWa5Nip25TvUaydziLXf0mjvaF3zkc5Jemyxy3Yw2ECl8cUm27oXX+9iQczZqKOp3moyR+yxWw12Iwpss1/eExbKR/cTvL/jwiLv9f8Pw1W3KrOb/PcgLJa3fPQekZ1IPghz1HHcXfhJOUHSVudkW3bpU9NktNdZdtAn8xm43Qacuz8yXbesZlPEw6Doa44Zt7Sum7lce5lxddGubYNOXNYcNHQRaGEwnlVY51xnVkU8Yj/HJF5DurWvPjqXRVGJvidqgJ04rnHTqdi9p3fm7zSsUze46eM061Nxu8Ei/3cZjpptcTPYsGMkw8nYDRfuIKcrXTLCZLQs0akseMB+jZUYBh0eO+paFGUmUwnjm/fvrtFvzo+6TUoNI/Jl0lSCm/98i75UVI30bq24yBTtd+pMm9zQcohu0Ie66CyY1tVo6STiQ9oGKmOPEbBAy6McR/ugmkBw7GS4efwBDZhjVSQ4LQs2gXsBlxELkBugVR5tKm0HZtxuVx3QOTZ9rfBUuDMqyLLAKlZZSQN3U+LB+OKTo0+YDNKposDMltF5gdB53AKqBvB8Aa2WEoCVsz8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN5bgGeLcvWTuDPL6O87ERkxKst11L7rLegW8nGRpwMArziOLjFERsWCiYhFkUPQKXKjRTbP9JoZEl1+iGzO5VrjIn7uShu2MKt00BNEXYjImEgpTpgoqSpmm2gJ7wPYJblNA3yFeQpeYWVWKmlkFj8kBdBXP2XgcYwPmye7m1wusjwFsS3g+PlvRGQFvsuMieU26AK2HM1pgkehYCIR0kykQ7rkOuMznsUOi3Zgf58QePTO4C3YsXshtmHHruptw/45IexXCWH/a0LY/zMh7L+kgW1kyfGMphApDfT45pnIioqD8j3bJHgna+DlbQK9pKg4WxRlGu3bapmYL2InIXnILIVSoukXEt83IjLtEhITnKBWJI01aQGnsSb1RldlglmkRDRl1UlMVSONNT3oXQIRYqSxhlkq2GDWJAFeCXYnsJCakgRMuHplqZLoUVi9kqVZUpwncKvJoswIT+DDtoATBEkArpptTHy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wggqyiZh11YYtMN/8SfNZCrxXGbQBTQLZtYNJg7VLrE0CfbYoV6/S+KB1NmPmL0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0WYGqWzs8f3znigIPalwS46yYfr4NcC/accZrChtHZPMUhsnnM4uwu4BS6gc5YCUmKWRJRx8rVT7k25aCZfyTYWpEksDmb0xRmjAZHc0FzFq1gtAubiTRcUsi84lQTmYLaHjhbJJBNstRrbKLO/G9BD2WQRwGs6IJpo3B8T8gWdgKNT9EyFalVMlpr6ESuEslXl5nvWDwBdKMoLhIokq4UKBXa6ZTr9VIynbkJs/Ghb7DCSRg8HymEjQF55ebbx4bLtMEi+pzjXJtZpWINC6yhUjcrKAXUKjqu8fXouiY5NliY3DCPP+z62E4Du2AucJ7HvgMsjx1WrVsHJXiLWJERJWWRpCuRBZzATGNFliY50nc8SkHm8jZ6e6ZSx29ZykpdKhYZKMeGmSp69hlngsZrsbOFqqNO1GngQvFtfLcWl67raTbnMvpz3gBPkPJvbd7oUscCTSBxrA2dANXouQlcLpKwrlgkucClVLEFWDGrFimuWcE0SSEWCp2EYVPMgRDUQHOl6HCjy3DXADp2xp+DGjsdT6zXsS2QJBVl0g2Ajm6JyviakVRskQXmcZ0Mdy2oiv9mlZkbyhsdbNTJ1FuwbsRrEiZLULjpZ+LEFgYebGxpUGbOkRQdXay1/TAjy1h1/gPQ9K5k0QMBJVXFQmFhBj13Y0BeJwEc/+l1ncg+fepNAY0AWMlFhnUZcWBAG7TCsaEqinkK/U5RAnRwXUcTAY9PZAs5bgvXFmSp8gQYx3dk6gS+Ye18wwnyATSNnQjgBh4nME40/RKfAUINWqNBTWBKabZIIHh1GdvLphVJcQ8UyaMr0lqRUFfcCIBNvBFbbZiVjt5Vc0VE7EKJ4LTYU4G6Jp2xt28WJj5bOaDxI3rNTM/YcDdl9G6tVT5LkodeKZ7gLaw0VVnOYle9JxlbUUeGUpDBEG1wEdsbvMqY0AbPE2gGK6ZMCjV8VYoErZuMVJWI6WYNtUULdBR9UxmJPlQCDZZuskcSDsv7jDnL0bmiOTPoHKvcdzPU0P49jI6bnJWQSmMTQgEMDNFH0N+ASI5CpTpNPgQT6Sh3WZRcbuhgsOBe+s1lFa2p94E8ZmnofEYw70zRBb1DBe43WtjGYsWi6g8DSY4kZxqGM9Sr+6OHBkpIV2UplUHDxqMIrZfYIGZQqeh8jBVOSMu9zxCKEOG91dGggJjwnd1H+kJzJlJP5G+haldr46mRkQtqllSdbb+vl7IavGgICbqiqhlHZCQqsdIUvaMGw0Rwd1dxQ4Knb+VCv7h2Za/P0IUf8fUcmWVgShE0A/5A/ehjQFug99T8zoygOnzOQ6ZOQrw5jOxubhEs7jarKVZkecYEC+IHM3cn6K/dE58wCwOSIV5wXAmY9buoYI5r3cQ93MC91699x57St+Nu9tQ04fbzi0eMfXsQWcSapsM6r8Ky6CO9M3ArxtwFU0yjHhFI28F172FCteAjEy+he27CceDQP1dTgxT9UlFtdjTtPj5b+f698p3KAGN53KpOYvc9Uk3eadedsgsnhxHExjp/hw7t+nVw5zFn/++fb2gXu7qohQKsHeYNsBriJfHek4Xt4zLDmiKXrt1ggwa3qjkl/4uHwVc0o+AbzKVy7euDZEQIa6QphXFnePe8KoWFxmSC8b6DDtNuaQFq75ZpSKVgAtoupEuqCubUjamQ3i7pBnOwFeN0QRGnK8oR1pothDu47bz+MOtDS+YHlN+w/g5Onz3IpGeLWSXYl4r2xyTi8OVr4Xtcx8TjpqDUGg3L3YUkUggKuRVozcxyTFAgFKgMaTR2RY8qL7q3aWHJCfKkeaK4XDCCObIYjJg+gMXDYgdLjYxpfDjalcuNDqPXSmdby15Wa+wHHnOGdbaUyW0CZ8Q15hrMUtkONbJSsT2CJ9wPALlLY7GFN80PYiGcYnX2hmtpDfHOfbuAYDn61f/iDL0Rm+ZfA+gGbHktDML5GZFFWRmqwmI4iRvfbiydefZN/yxgxmLnQJj5Z/Xy+x/+Ym3fi9Zx1BT7Joi259MsbsTsUMcN3lCF/rXxyekXHg1ALnzrY9f/pOd5scW5w/U7z+PI5OV9su1Jf2CKXecMvf/t46XdO1XUOU/AX5ozTRQtsSAbq1V69Yz3c0EQUOg5+vjuNboS5seXz9HV+4vL/3qNPl0J8+on9HS93CBBmVlShchSaj8qTSpFiYFv/fDqf/9/z54EKULNMqGM69MDZOpZgcPjeHRi7rvnNb9xvHhVIxW+4vnjQrotm/ZgfmTDuIMf+BC+PcV0a518ZspUmKO3b94Hkf1TCprOl3UcZ/wfKehZmLYW3a9GhMJG9gtPOILH+AbvOIcFNnSNH2BEOnD3NXqT5wr8tI7LQ+g0Ty8pymPjnKfGQq7O3127V2k0PFZgPWH0o+NUcpqqf7vR1bVFZcT7ZWl45CSIKDS0a4/TsNbEMjdda1oB0UIX5zmzX8Z8G7BtzfIPv3MTMoA1CeGCS3/DL7osMEBlm2udRK879EnD6L3H8Foq04jkgdDNIcAGB8DMZr/k1RPT3u2HiUX9mNTbejdGeEFDduNUXlyPHVi+WGtJmFU5nd9ooOMgK5cVFgt61phORIo5W1SK5mi2AZhU5JA1FJYz5ZGtBwZFoyPacnDReYJ+Bzyi7t8u4YruAFC0kIZmPrM7fp5RfNLmQmc4c6n4CUCXRqUBPk/AEvME1cI8xXVI1f+kTEBUnGe1Jy6dWt634O0+zvqrtZ0JD6DBXpolVYIa9HFT0ufoU/2MvQUH2I/ounaADV6C38Y0tXpUzwTKxIhpXCPt/eLPEeY8qEyU2y9CghtWkJi3osq+gUwYibSBx5wJ9OlqVKAQSJBNJq+ii2wLVJYJxr5ZwIrq2Bm9FmyCEhf3IsZORQd/ewJs3WiFjFOxiD4pEnC2ykdCLXREA3UqD+atAIxABNIJ5gijX6RaY5UP53Qj9GYByV4KYXvj7yCXbkbNmlIRVj0jd028b4xbGszboTqHDIKW8ZAZMdghEz7PFdISCmasWPIjNsJbXHEspojjH+CgrBNEWi7KwQa7LsttJGVlLdgFGLDdlyd2pJIS6EKwitcP7rCIPVaGkYpjhaBfNKqReHp59/qtXMj5PDz9nZLMLGny4+0g+9Eu6G5jC+9Li7dF901lllQYnyw+irauYnZOOCyhxy05jvonTdUowrIyRE5Lab/kOMI3FSFU6xGcofP4cc3Rjks8AbyQVXEXUm1QoDBhgNsUwqmDI+3haKUSBPh0KYV9V6zcCimHzQ/RQFHq7moVrx/dyLuJketaCjUDnNG82Y/3w/T0YSaQZqYKyE8ExQXUi2gPdYk1wrks7etilpQpJNdie2SOcAbfSSGLkbxamMmhmWtRP60SYZV7JnIrf6TSDQEw+oVxit54xM4GZDjE2Suajbk7OZow3uz/QdIVRklw47MW4lIhtMcAIWLWu59ACJevd+PrNWJTYjwhdCZTVg8ENj+jS7xisgLtksiiVLJgIxmKdGrkLgWecSgim6Pz3bgxsWrETkIk+xh2tE4URKCDYdThMkcgGFi/wS/16bZe2e19G2W7bZllJUy/nC22Rp9DGXhGjjHrD9KC4D1eUEEVI/WWgCCQ6NdPLWBmCU9taLYb8siekR/OtFHjwc96T8e03XqwPb3cvSevXri1Eu4raJo2RrhhBdVWrjttT9GSjgaR/ClEawqx9yCg8eCJx6AOZK1jenc/GGv9eNiefsh0tCGnB2/NO4z37XCwN9jxViAcIAy+3t293Ls7NenZuYsWZW9q/8lF66U6jQDZI8cbAfL1suOP+48s1miDaY7sMPmoJpUgMe/YAfJjUnaMubcBMzZKPZSg9fzU0St3KrPMCmqW8gGiJLjjSUYODf+10QOHXkpKJvU67YjqfJDc+2stIjv4MpEn5L/Ofv7+e/T07cWb62fogmnDxKJieklzKIUP4sLlQibvC7QrEgbZsnOHhz9m+OJIxpiSib2Ku+o/7amGMGhuDHjkow19vs91IZD239T9thx/gFMoZopFqE36NlMM81jd6Xob+YBzVmm3ApIKaVYwjpUTT1Zs2jtE4F0Pl1fBPdcsn7LTSDtT/pNlhNqL2OuLub3k6eos3ohddx3CGr7SsOX/9U4i+GTAC95xQ1tlGXnYlSlVysSAQcgGSC3VAgv2546sapGOFQ4l9hGUbvPUCLnnTAVrSRN1/fnFLgevhWvx5XoXdbKaf6WYmyXBiqJS0VwWTOBgwV1LPF1jw6gwem96PMdT7vYtftDNutaPtEzEuPbqPLGCq8TKQDOk7VZ3i9UJmx15YXOIRJ3TnCpsaJ5FSyrbwR9W+PxSr9gEz66VXLG8aR7mv4fLkntNdcAYvvmPfda6Om1YwdlukuUT7bJZ0vf6M5uRbQaHh0Lm5Iq56Pmyr7iPtIBrlM6YQ8Hvq3nSO9CZWj9qVUIvAht1OiporFgjbaRyEt9CK6jBsNoT+NaZ/daT8O4LluecTifl3sF6h8q5wPG25N5Rcq4ejzHNdq/9aq0OQ2JTR2efo5Jje2T2fZYKUUHUphzz8kMq5AT25AEZdKqxLX+V2qB3mCyZGDHpcpxIcnzTp/UnAZn+paJWfFj9yDU502fobY5L9Bn+4fSjXApXd/rP4eOJlnhFrebEKVboS0XVBkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUtwz0wTdHPRRTmPKU1mHW5/G6tXSniZG1Df3DyzRSlRBBO1Y/b14eF3l2baRGauw8xMxbmOkPAqM1E7lca6RLSticEfvJ81CdoM+THV4Quz2H7zbnBj2FjrBUkO0zBKHLZy1qoUrAO/6WLjDZoE+62/i2icAW/ULa6Nm1doUJDPaR175tagEqUKsGTGZfxAHFmz4Ager/TqUplPMMydfddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Stj3cBHe5mGoddEzDons02IdMdw+CEwg0p9hc/Q9lAzJGAoxVusOWczpnwvnoQTtDVr8DlSNNBwO6oQrFEuG0dMD31L7ZgbHy2qffueymN9KZsfNjGYLIsJm6Bv10VCI4G1lH7OJIMeZkxEW+CWNS7YbcMRYVpH8+AkGqX7cCxuDba2/L+wNTOAdZp3749WJdY1Txl//x8u5X1kg1aqSN7O6wt65LfD9qeiT6zxLW1kGqT7sD/qkss/ra3Y0yNSLeLeq2eh54mS5a/vgDoe/b2YCrRYFd1v/XduxrlgowKo2R5jOjIZTUbOBcO4nG/prW26Z5yBMDRVXdMew/PZVFisWnuI1w7GKfv7JUVVfYZypiYy7BSgPVt6hqhPfKjZ0XWmK1p2q7o8y+pcgR+qTjfoP+sMGdzRnN0AXXPzjkYRGVNZxmR8pY9UND9dzpDbv2t/Yz5mDYfvdvsNhxeVgZU7iNHmO6/6x+aJfyUHe+Odj75M/RxU7qtbz0HljjuBMcPT9F5FrWZbA9ti4NzRKgnOtS2to/MFK66RrnsYuc8i6VUtbcfQswf3o4ceatXTmR2qmlRpp1DtIMUduW9nvsaTSVlIk2ki5Rdx54HKrEJuyaJyLCOGe1vAVa+nD4y5ErxiMfcghrxVBpjNKtULG9IC6amKsOLeDblFnT056kLOmr6Yxe05/oEgoXeGSpAtYpvnFj40bi5UfSWivZSZWJrVG6JKWoJOzL3IywL6tUL/9/nHoUX/j98XlPI7Y85VeHsPL+dB4yeu820g+fgcW2NWhtsJ/cD0axJxcScKjUSdx3ue5J9tRX/vaQPumcnQLLuSzxvHUPgSkFYWya9UoElJmO/Sxe3t2z3ETKIVftP/6DDBK3xgZ+sXFI1jT/C6uw+4+npOYx+fIbOYf0walSZiZqljND5nCo//JN2sjB3NOelSUPHLUK2Dtwu+kS3OkXvPGn257Feyfu3RgmfNrphf4a9New2kUy5+sclEnQhDXMHWC6xHpkApcnUbYVaR+kWHx8uaI862QSoQYJLj8fqxul1/U04IUWzxRQVFd3+Rs3Uw4+jg5atNGFaV9GVToAMyVLpvHWnxVAAQ6pUUh/o4FDa0vPSLo5uIDi9SzpNkiHRdAb3UeSnN5DaufsxaknP45C8v/TcgeO4CNWaZ6uUL3o/pOod2UFk8syyHq6it2nUqQCzW+ot6kTNDb7ZjitpP0ggW39CGuJ1UqGrmzf/eHeNru07hX4TI9NXttgmqqQ+BtuPaxnGFsQQWVJyq49yIh8mhNP2IAsNnWv6dTYtwiAN1I8g3ErBHVouVWzQFPIBlFyHR9MVZNRoAJwNNtVkEz7bWK4wZ7ljxAASfUE4WVfrXYIQKHZLN7ovtiNxfp1AGhn20phSZwxm0CYBDUeZgiAEP4LbxBairnyRipnNnhtFZFEk7RN3IN4OD+8QCpfgr5mivG9pxnaxrDkWmdYPNfDWruxk+O9+t3WNVhBbV2qclZJNkVYdQthhgAADQCpsDQBZyRILMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fvnnv370XveWbB8VI1ff9R+/ZxvRttpK8SkWAN/UcZ+Hn3DSTsetxvpVgRqOnDgn9DLp1QGFvPVG3Bx4B0sHd8CqRNHvrcf0kmPHpAmfdooMVVZApMK84IlIQWhprKN+4Mxxpr7Bep5S+jvDWYK9HaFtES6kMkpa+v/77m1AKbpDssflOqsX0CZb9AoOOi3WGXbOTYKOYv1/+dn11jd7hu4KJvBnrHT5Wu7fJ0zA7QxRHtuW3Mdjdrm016lO4ZDF6erarcszm0xVsPnQRfr3l5GpHx1nmpfLVhe/S67HYiSGf7lAeuFdAvePiv33dcFOYI/KhJhn7doO/xJrQD5Td6MdVgxXfBHULV9z7HOkqkKKONfqrNkqKxd9mHJNbzrSh+V9f+L89bz5lYk5J+KM5U3SNeVCRwTPe+g3CIkdaohG2VHTBtFEba9lPKSxKbJa+WX+DA+rjMEASnFJToekKoV29FpGq1YW80ScbzKkwrZyUGm8/kPGsmaZ21rv847iP4Z3TOa64yeBOvEZzzDulyJ0tdTP437eSI+pJkduR8duyNaPwfM4IDBKYUSqQnEHfiFZDr+ZcNL7HZvoXe89Whre+cRlbrEVidbLQqdskjUgUhdeooFrjhe9LRKSV3zDALKRIvpULdEGJzEfCPh5WdB+V6/kcMYGph/CU0giKMO2LJueICW2wMDUaYRvfsKMe8Xz4TgVVcbiHzFq3xtU5bccToKW1bWHC7u/MCKp1ffr7pyAIuqKq3aCixEpT9I4aDJq6r7ltlnr6Vi70i2uXVPtsAP7Cp4Nt1QqMPlAnLByHixaaI51k6CqJC+e0aHOhF2mVZ3/G7/w9v7r4wQdcXNu3rXUNPQHuMDGIy4U7r2FfG9gdTLL23ALf0925Q/b3/mDPRjljAPooTglxxgDyOKeMHslq2jN5+f/OZPeZ2FXTHMhp11fO/siCva4eDXarVKHS01BTNGVW7OlkS3X/T8MMbL90BfenIYernJkM+lE/RvS6htMjQmwZcaJuVMSYOA6xtBpTLTkeL6fl9KhhsWnJNqc0T10EMh62aLdNdI0kaT7QQwZKwmlWRE8PGUDfY0WMU3H6OvP+YNwg+Ry5BtuMRD4UoOC9yUemUKt9dKBRo1Wzf/+nTdeoPZeC2McBG/nYLdsRcQNN6hKKwzZ1z+0yLvmldZ/fyoUf6+qrGKCXnDVBFPWCarD1ObujOdIUJu12ftxdQ48bLPUhDGCfbLA0hzAAfa9DGXoC4/uXjmPMwb7uQZP70SBii4UdfPlrnVfqOZL3OVJT0XQe5nKhQ2zT8iF9PfRlxzDY4EejhL26Xv207Qc4ct37xB3s3sivlbirV6nJ++r/XvImrn3yNO7LBedIa3vLcoTRgq2oaJxkX68iYEl0nP8irQWSP0bl7+uIaIw6NGS5yRT9kuCs28FDOGDYt2/md+l7il3DRXruvdkGuwprgocSZEbr5NFPV8L88ApJhX7hEpsfX3bTvIgUc7ao1Hh+y3bfx6i7X/G+IQz6WMsmwTKeoGfGWHZMXU30tTsYpFpjlSdT6nZPqncKyeeOvoeRohwPU9Nca1X/iHq0fTNM4FS97fIhFVswgXn9m662socOqfSvHYkRV9efXwVIgILdZFEEEjQYDakc4/XZMupQcTz29VlSnCcsr++YdrAUuro4JUrq8G0HSwHMcbHSR+1k4yRL7mfDTQ7uVtGCi2JNl3PJOfRN/RoFsKXeA+TcWJ5jGhFHuno8XEtRfSuH4yzGCf0ILb6CzB6LqlpIberCvdlmcGjNJC4LULOi5Bt/TvbLkMxMMVkizXKKnn6PzFJV6OXPPz9Da+xHCdWr7KDEo1BeD6CEn6uTjBTkq+EKN1Sl9ik0fVftVdZBCOgpnskVbRGDhUt0avGmjaK4GL0/5KthmwcmFc3ZUU0T9hHqm5Dm2DgW2BwxU/f9AZH+wrUJrZEejrP6J4J6kQ1V6CW6FASXuuK4aVZ2L7kegn5i8COQWxla5ceX6N/sdp+jH39E/4aIVFZfdj0H6mFq/4Ob/2W/yDTqEiXc/kLInD5aW1esaUYw5zNMbtOXPuVUSFOPRgO7whKxrnkB02RsKh0wR/JmRsAy0HAbc8DYzbE3UlnNWmyc1mE/aDWjCCGF0FxWIrcvDIeBDBo6AhyWvNi9EQPIMWKB/jrsCBuNnMKGS5w/lnfOo4M0+xOGUSpGAlaHN4XbXwZb2D33tRC2zz42W41WzutjO0O/yrU9mqHNyQSSyhpjRqJbSss9RHsUL95XQjQ3mCJbpRx4fllLHhhL5eZTC5jE37ILV0zByNSri67vXQRcHO2Z7kAMtwt/1a8ukLLSWoNDZThbZHT6f0OJZPXMD06J7jySkXy5JKGgoeDfNr/6AN3wmxnNRFHsBwGNCEr7vzoQ8xUEXvxKmS45S9295NGa85qlKoQ9MUX6uKZRh/I73Dr7BtQTgTzX1VaLf0L+e0QYnXgZjAuaJEYPI4CkQtfnb6697kuwsORhRSlVX+NF8ER+dWkQ1eNwf3xyTxUY4qFRt2hoylfbn2wNdqfngGV+hl7+/Aqtge4FxQJhzsO+grr6eY62/iO0poo6sNggTrE2SIpeuUiXiA+uJn7dRAzc1RRhW0+736XKgXCQ1UTJUkguF5t+IG7O1ECLRehnRJZYYWIcESm0L7JYuAnuqBI+p4d3fOajFbWxC7pdoD5lEGHXtAVrURRWyZSiDiMovB6VaSBZe2olJqCxuhiF8D4HSUilaojaYJFjlSMhVYE5+zOU3ytVEaRP7rMcjibRYbPwdhBpi3WDzAvO5hR2HDDwNSVS5CMK9va4M20maGgf2hATRBYlpybIAKNOVAwK/HijaW2wMg/EyDd27SA7j7FylzNH2a+QInon5HyQIHFy0wORPxDhL0WeguwW5J9SPFD3nHr1WsV06bUf+xQeiKhkN/oNgmHcfgS5b4dbY5fvygMLnO+pzLbpjwI/HaSiRKqc5uneQZ9k458p3axY6xh1pk3zxXZ8ffhaKVmcAdQKivI1oQIrJp1aX1TcsO8MowrhsuR19cu2l02BBV6ESnMR4hDeqe1Fh5TDVSNmnmgk18JFxgwuyr5n0GNcT00a3j6jEVkya93InOoz9K7SBsykNlDXPWskLxcbeuQh7RRg87nFe0Wn0ITgkOsFHe3c0DRBHENgq1rnbMVyq9kAP4QF2U0tyD72iBfe5F3J1GQ73J6niwXdWU5khm/cZrUVelZfs0gBg+72jUY89D3dvmt5djZYcttdrYotgYroozgb+se+KqBBfqloNRkrWe52XLSVj2sMY0+rdgOuNpolIBdr1END1IhKQYegCWTaojAJXt9FkQLXMkuAapml0J7LmKKoCzTWqI8t1AS6UusVeRgTsmc+Bt+YwXN5rzfnWLG5T64dEyzYPhC9bgixHUGYDJT4GIq1rvgDNc2XlSGyoC8cDo3x4ge4DDgEC0+CjgE5wiB0RRUzqVuDjnWf9qv7IsCx0aQ9l8/Eg9vcK91UulhoEHdyo+63hk9Yu3XBnLGeKl5XTp/NFDiAxsXI8sFk2GYSbBDv0BSZhIfwuWulty1BqdBvNz41luk6IaDvV4P16xMaq5LUpdQsouA4iLfAnBb5trtwc3dHu/BU3GTpWhfdUxSJqqCKkfvKouDeJpr8fEAlW3MznFhy93uwtRUVOcxJ3iu35OyPB+heU4d25XA6bRux9LXgA3LDPOCdiDlJn7JX3Tejk2C9mPFeriVucouFNAg3k9TCCbRcLrI6UeVBhHrNiPcW6lP0TOnIvr9DuhV0rR62/W4Uf8kZ2UwxbWdELlwDAr65tuCbEblc8ZR502ECfqh88/+wOJXC0LvUGmuD0NV2VEBdXZXn2v4fPKqY1wiFGsDseZzJEosFzQRdp5YFY4FLum6F+kEJMUaxWWVoS0IMc/S1Q91q6+3nb2QocYmjCbuGcnwwoWOSmwOGYD+/yCHT1t8Cxi1UgFmC1Q0H9TbnS62oOkM31B1Kpak6wwsKrbx9pvtcqhqHAewajNPbCfweud+3+lZIhWZKru1n9V9JPcfRml2j/aSv8musTGw3XQM4tkfF3yk5qA6d6k5Jnm9nkCa6UrKkPqCY6i1+IxDmVJkmu0htF/V/c+EtLz5aTQAgCSmgMOdISPGdoiUFS2ZX9sMUc1G6ffRD01CcHveCuQhbHf4Z7MwP1djKenQBC86g2kQgKb5bSPvfO14CUFKygOKYcN+4FQx8AQhYJOUcwYR5RvUZutnKlP5gg3ZlVRqMz105X6WtEeNKRl2yTe7FbzPNhPBKm5oh/T8GxwQ/YdqepK+J9v4Nq/jCp+Mq0OTaj7thYYvetWVKp5Q92Wd4WSwvAAuEtZaEgb/UnkbQnoQDe8tu6evWIEMYXPgclQpmojxH1JAnYUUZKxxrYPWeIBYsRQ1VGpVYQxcvDY0c/DRpWRRWislO0H5YWkMN2anuuffgoTS+1hkmeJic+CayKKvhHUxwbBitmcjl2ufT+mmTz5tMilFiDLY5rzjfoC8V5s75mcsCMz+IF/ZdL8TlyNPV9nomGmA/GA3HxC3NfS1QnYiONXinvIFiP/mmQe2M5bsOjg+6QiQVde3JTs4t0UegRu+3m4fC67fSe17RzbBdTxN0pqpg/cFOqV2sfs3WmLzdmvaPkTXtOePp73iz5V9gteYaK5pXhKI6ckTD7jY3Uz8LvKbJHpGbzhj//vvYegDtCzPqF6DkVh/VciCGx9ivbh+6JdbL5oZatTBQZViRpcv8rWtsmjLD8xpSr0WY3UizzJlWxP6q+few0hRZeS4Qg5y7ShBOsbJ/gkZ4W9R8AWE9+bUu7NwffXDCrxr2eXrULxaRxawZ3zvvPFi+bFTd4/VaMVXpqT19bW0EEBj3+E0TIA1ciXO3uuvJOO4pdRbcdINrnZf56sKP4EZPfeOGejalK/q1uD0L69XOAf1QA/69+/nqoj3ftRETQ+9BNyLn0gDdFs4cE1lZsGY6bKSu9CZlL/tuVNcXaDt1YacfWzjje+Jxx+fNwujqYq8mG8s/t0eTtYi9FPlWoz1D564+0/c75e6D3dosIKi63/jhG++Om1WmqdyUpnmMKsGpdpSR7kFZS7TCiuEZH1QBuqYMTKCS4xFBoKnQSfujdA60raq6lc+spLIaRl1fyOw537y4uu7r0Mi3jHUehbG67CMHCh5cC7mNtDgk0ZUw6IYtBAZhMcKipVQpm9c+Gcgvy6TXte4moasj/KdFpHWXgctyGWCc9799REwQXuXUijM/yNb+/Aw9vbzDRcnpa3TtHCIOLEjvs7BfBCJzk8c2wTm1fVrCmDF9a1XuI/C6Ryley4353j8NH5i+3RFyNYotFlSlG2EXJtnndizA4wDa6VJRvZQ8t9zjbPWRSaOd0PsEnoVh7N1L5acfnI7xrGnGcXURLiM5ODpPZFFmE+ddwan43CsY4+r8e7qafWfRkQLqU+cwbkbmFRmz0rxa+kBZY23MG2kpFXQesHK9xm9kShxW+Rqrh8nQG3bVt9IV+4fIbmKkNfJTK0QxeodJ3U85rNxaETSpHSPFd7WCqnZLIWdrRh9qrSjW0XODtcGmiqU4N/4ozPiDmR128Zm8Qyx/Mf5+2Ze1mgJDi9GnQeNjdxcsFuGrW79jiafvDZj8Yjh375jnjAlZxYpxtupI9CL6nbKSNKbTYeCR/Sky4NSdGTss8YZzK/eQrgihWs8rji7t+ojInGrLEnWz37BlwURO7yITgDNtjtM8T5QtsDCYYqpGYkYVxDcLrBiHDJ6AB8/F38UCYSDid/a3wZ2JBHwoZ6650ANpxH519LTJ5yyp0qUvunUSZkAyryJsE+LrDk/PRooMnZtr+B6nTihxyleT5OV9Ve7b9kPMhEY5NZjxgJNhJivT+t3I1iSfPDez9tjiJo8N8Bh/SA0tSp4sm+cNyukc+xCQ73xZx/B9tqbVildUcbyBQi4j/eOKngZupP0ArG7/azqvq8Cdr14bZipozIiCG9vaBsOGTade16hRrJZ/h+DYmCaQVUQWhb1Padjo3EFHrJXsWyq5Yrnzn9Vd5AqqRxOhckmODzTe31v2C+NbrZG08/LCqsFdCUlPDyPr69XTyvo/5OxIv9PR2/sPOfMBmPDtKlm6xrkXkFDsTv7m+gpdDRSqNhrJutb66pLdGEQs7GqqYRdRDen7+MN8bnVYuXciIpvJPHXF16Dirq90eFyQxWVEPVrG75bgQgYTVJ63XMC+dNgl0DbxELZgeRPKGXHiFbGtxkEZeISXP56S1+y7rFI+U/V07+tPrntOHYiCZI07Sqq2F8Glfs1oqLy17sK0K3FjAkdI0Cuedx0iTXUlXmHG8TCQgRpXOIL6yjlVamTSgrtDx/j648XdvLFS+AZQLgA72JJPN9BscTYiEVmRzao830T3z7Aii1oH1IJbaXpco/OdXqr4EBWTEbsc9ErsMl1NUZDAdDt71fVcxVXOTFNZt+2L5jEKDbbbVmw4UbINL+zepMsSi03B1WRW+fnnS/TU10p8rrjVlWeMQwEH5IFd3pVS228+Q98NHQ2iH4W5FXItOoaQpqSCZharLvSRSZsET+CC66eFntdV7u99adJbusBkgz6NmmuczRR+iKJ8v3CHxEygAjMxV7igO9MxSqxgam/6Pgkd5fIalkXvZe6So7dtAVtZZwGk0B7tC1IFLCFSWUjdvnHv6Rr9WgkwJd/JnHL0lInV2bfPEZPkOZrZ/6P2/7DAfKOZPvs2HF80pMzmHA8m58fWoboa/vk1gkXB1wVyclMPv5LznY0ajEyKqfvrzONZt0HQVFlGDiK0KuLK3R5mn9/9jhVFH10C8Lfffn73+5sPl99+63JuV1hhNsqTa6luY5Ys771gv9cLtiNso04wLGIrEb5mJ26XkuY5wMQ+F5sEJsxcKio0IzEFSMuVlADjIr4XJBAfiAU0W2M2HE58sncAep/HBmqvT+wSdV3NEl0KM8u1UbEr36FeO5lDrP2WRntH65qPdE7SY4tdtoPBBiqNLzbZ1r34ehcLYs5GHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrrpVmd3kvwdhsbzlo/eI7ETyQZijjuPuwk/KCZK2Oifbskufmiajvc6ygz6Zz8DtNuDc/ZHpumU1myIeBkVfc8y4pXXdzOXay4yri3ZtG3TisuagoYtAC4PxrMI65zqzKuIR+zkm8RrSrX310bksikr0PVED7MRxjZtOxe49vTN/p2GdusFNH6dZn4rbDRb5v8tw1GyLm8GGHSMZTsZuuHAHOV3pkhEmo2WJTmXBA/ZrrMQw6PDYUdeiKDOZShjfvH93jX5zftRtUmoYkS+TphLc/Odb9KWiaqR3a8VFpmi/U2fa5IaWQ3SDPtRFZ8G0rkZLJxEf0jZQGXuMgAVaHuU42gfVBIJjJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaTsw43a76oDOselrhafCnVFBlgVWscpKGribEg/GF58cfcJkkE4VBWa2jM4LhM7jFlA1gOcLaLWUAKyc/ZEAaomjT8JwHaeisxcE3TMW+8HxndsKalXP6EiLDBMYjBK//MTC1iKi8d4CPFuUq5/EnVlGf9+JyIhRWa6j9l1vQbeQj4s8HQB4xXF0iSEyKhZMRCyKHIJOkRstsnmm18yQ6PJDZHMu1xoX8XNX2rCFWaWDniDqQkTGREpxwkRJVTHbREt4H8AuyW0a4CvMU/AKK7NSSSOz+CEpgL76KQOPY3zYPNnd5HKR5SmIbQHHz38jIivwXWZMLLdBF7DlaE4TPAoFE4mQZiId0iXXGZ/xLHZYtAP7+4TAo3cGb8GO3QuxDTt2VW8b9s8JYb9KCPtfE8L+nwlh/yUNbCNLjmc0hUhpoMc3z0RWVByU79kmwTtZAy9vE+glRcXZoijTaN9Wy8R8ETsJyUNmKZQSTb+Q+L4RkWmXkJjgBLUiaaxJCziNNak3uioTzCIloimrTmKqGmms6UHvEogQI401zFLBBrMmCfBKsDuBhdSUJGDC1StLlUSPwuqVLM2S4jyBW00WZUZ4Ah+2BZwgSAJw1Wxj4rtFLWSdBHJZZQliGkQxwwjmCQqIdIYXVJBNxKyrNmyB+eZPms9S4L3KoA1oEsiuHUwarF1ibRLos0W5epXGB62zGTN/SdJojOgs7qy4HmAlo4tqneSaA1RKVPwqN+18/NFmbbUAU7N0fv74zhEHHNS+JMBdN/l4HeRasOeM0xQ2jM7mKQ6RzWMWZ3cBp9ANdMZKSFLMkog6Vq5+yrUpB838I8HWiiSBzdmcpjBjNDiaC5qzaAWjXdhMpOGSQuYVp5rIFNT2wNkigWySpV5jE3Xmfwt6KIM8CmBFF0wbheN7QrawE2h8ipapSK2S0VpDJ3KVSL66zHzH4gmgG0VxkUCRdKVAqdBOp1yvl5LpzE2YjQ99gxVOwuD5SCFsDMgrN98+NlymDRbR5xzn2swqFWtYYA2VullBKaBW0XGNr0fXNcmxwcLkhnn8YdfHdhrYBXOB8zz2HWB57LBq3ToowVvEiowoKYskXYks4ARmGiuyNMmRvuNRCjKXt9HbM5U6fstSVupSschAOTbMVNGzzzgTNF6LnS1UHXWiTgMXim/ju7W4dF1PszmX0Z/zBniClH9r80aXOhZoAoljbegEqEbPTeBykYR1xSLJBS6lii3Ailm1SHHNCqZJCrFQ6CQMm2IOhKAGmitFhxtdhrsG0LEz/hzU2Ol4Yr2ObYEkqSiTbgB0dEtUxteMpGKLLDCP62S4a0FV/DerzNxQ3uhgo06m3oJ1I16TMFmCwk0/Eye2MPBgY0uDMnOOpOjoYq3thxlZxqrzH4CmdyWLHggoqSoWCgsz6LkbA/I6CeD4T6/rRPbpU28KaATASi4yrMuIAwPaoBWODVVRzFPod4oSoIPrOpoIeHwiW8hxW7i2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gMEGrQGg1qAlNKs0UCwavL2F42rUiKe6BIHl2R1oqEuuJGAGzijdhqw6x09K6aKyJiF0oEp8WeCtQ16Yy9fbMw8dnKAY0f0WtmesaGuymjd2ut8lmSPPRK8QRvYaWpynIWu+o9ydiKOjKUggyGaIOL2N7gVcaENnieQDNYMWVSqOGrUiRo3WSkqkRMN2uoLVqgo+ibykj0oRJosHSTPZJwWN5nzFmOzhXNmUHnWOW+m6GG9u9hdNzkrIRUGpsQCmBgiD6C/gZEchQq1WnyIZhIR7nLouRyQweDBffSby6raE29D+QxS0PnM4J5Z4ou6B0qcL/RwjYWKxZVfxhIciQ50zCcoV7dHz00UEK6KkupDBo2HkVovcQGMYNKRedjrHBCWu59hlCECO+tjgYFxITv7D7SF5ozkXoifwtVu1obT42MXFCzpOps+329lNXgRUNI0BVVzTgiI1GJlaboHTUYJoK7u4obEjx9Kxf6xbUre32GLvyIr+fILANTiqAZ8AfqRx8D2gK9p+Z3ZgTV4XMeMnUS4s1hZHdzi2Bxt1lNsSLLMyZYED+YuTtBf+2e+IRZGJAM8YLjSsCs30UFc1zrJu7hBu69fu079pS+HXezp6YJt59fPGLs24PIItY0HdZ5FZZFH+mdgVsx5i6YYhr1iEDaDq57DxOqBR+ZeAndcxOOA4f+uZoapOiXimqzo2n38dnK9++V71QGGMvjVnUSu++RavJOu+6UXTg5jCA21vk7dGjXr4M7jzn7f/98Q7vY1UUtFGDtMG+A1RAvifeeLGwflxnWFLl07QYbNLhVzSn5XzwMvqIZBd9gLpVrXx8kI0JYI00pjDvDu+dVKSw0JhOM9x10mHZLC1B7t0xDKgUT0HYhXVJVMKduTIX0dkk3mIOtGKcLijhdUY6w1mwh3MFt5/WHWR9aMj+g/Ib1d3D67EEmPVvMKsG+VLQ/JhGHL18L3+M6Jh43BaXWaFjuLiSRQlDIrUBrZpZjggKhQGVIo7ErelR50b1NC0tOkCfNE8XlghHMkcVgxPQBLB4WO1hqZEzjw9GuXG50GL1WOtta9rJaYz/wmDOss6VMbhM4I64x12CWynaokZWK7RE84X4AyF0aiy28aX4QC+EUq7M3XEtriHfu2wUEy9Gv/hdn6I3YNP8aQDdgy2thEM7PiCzKylAVFsNJ3Ph2Y+nMs2/6ZwEzFjsHwsw/q5ff//AXa/tetI6jptg3QbQ9n2ZxI2aHOm7whir0r41PTr/waABy4Vsfu/4nPc+LLc4drt95HkcmL++TbU/6A1PsOmfo/W8fL+3eqaLOeQL+0pxpomiJBdlYrdKrZ7yfC4KAQs/Rx3ev0ZUwP758jq7eX1z+12v06UqYVz+hp+vlBgnKzJIqRJZS+1FpUilKDHzrh1f/+/979iRIEWqWCWVcnx4gU88KHB7HoxNz3z2v+Y3jxasaqfAVzx8X0m3ZtAfzIxvGHfzAh/DtKaZb6+QzU6bCHL198z6I7J9S0HS+rOM44/9IQc/CtLXofjUiFDayX3jCETzGN3jHOSywoWv8ACPSgbuv0Zs8V+CndVweQqd5eklRHhvnPDUWcnX+7tq9SqPhsQLrCaMfHaeS01T9242uri0qI94vS8MjJ0FEoaFde5yGtSaWuela0wqIFro4z5n9MubbgG1rln/4nZuQAaxJCBdc+ht+0WWBASrbXOsket2hTxpG7z2G11KZRiQPhG4OATY4AGY2+yWvnpj2bj9MLOrHpN7WuzHCCxqyG6fy4nrswPLFWkvCrMrp/EYDHQdZuaywWNCzxnQiUszZolI0R7MNwKQih6yhsJwpj2w9MCgaHdGWg4vOE/Q74BF1/3YJV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3weQKWmCeoFuYprkOq/idlAqLiPKs9cenU8r4Fb/dx1l+t7Ux4AA320iypEtSgj5uSPkef6mfsLTjAfkTXtQNs8BL8Nqap1aN6JlAmRkzjGmnvF3+OMOdBZaLcfhES3LCCxLwVVfYNZMJIpA085kygT1ejAoVAgmwyeRVdZFugskww9s0CVlTHzui1YBOUuLgXMXYqOvjbE2DrRitknIpF9EmRgLNVPhJqoSMaqFN5MG8FYAQikE4wRxj9ItUaq3w4pxuhNwtI9lII2xt/B7l0M2rWlIqw6hm5a+J9Y9zSYN4O1TlkELSMh8yIwQ6Z8HmukJZQMGPFkh+xEd7iimMxRRz/AAdlnSDSclEONth1WW4jKStrwS7AgO2+PLEjlZRAF4JVvH5wh0XssTKMVBwrBP2iUY3E08u712/lQs7n4envlGRmSZMfbwfZj3ZBdxtbeF9avC26byqzpML4ZPFRtHUVs3PCYQk9bslx1D9pqkYRlpUhclpK+yXHEb6pCKFaj+AMncePa452XOIJ4IWsiruQaoMChQkD3KYQTh0caQ9HK5UgwKdLKey7YuVWSDlsfogGilJ3V6t4/ehG3k2MXNdSqBngjObNfrwfpqcPM4E0M1VAfiIoLqBeRHuoS6wRzmVpXxezpEwhuRbbI3OEM/hOClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjdjYgwyHOXtFszN3J0YTxZv8Pkq4wSoIbn7UQlwqhPQYIEbPe/QRCuHy9G1+vEZsS4wmhM5myeiCw+Rld4hWTFWiXRBalkgUbyVCkUyN3KfCMQxHZHJ3vxo2JVSN2EiLZx7CjdaIgAh0Mow6XOQLBwPoNfqlPt/XKbu/bKNttyywrYfrlbLE1+hzKwDNyjFl/kBYE7/GCCqoYqbcEBIFEv35qATNLeGpDs92QR/aM/HCmjRoPftZ7Oqbt1oPt6eXuPXn1wq2VcF9B07Qxwg0rqLZy3Wl7ipZ0NIjkTyFaU4i9BwGNB088BnUgax3Tu/vBWOvHw/b0Q6ajDTk9eGveYbxvh4O9wY63AuEAYfD17u7l3t2pSc/OXbQoe1P7Ty5aL9VpBMgeOd4IkK+XHX/cf2SxRhtMc2SHyUc1qQSJeccOkB+TsmPMvQ2YsVHqoQSt56eOXrlTmWVWULOUDxAlwR1PMnJo+K+NHjj0UlIyqddpR1Tng+TeX2sR2cGXiTwh/3X28/ffo6dvL95cP0MXTBsmFhXTS5pDKXwQFy4XMnlfoF2RMMiWnTs8/DHDF0cyxpRM7FXcVf9pTzWEQXNjwCMfbejzfa4LgbT/pu635fgDnEIxUyxCbdK3mWKYx+pO19vIB5yzSrsVkFRIs4JxrJx4smLT3iEC73q4vAruuWb5lJ1G2pnynywj1F7EXl/M7SVPV2fxRuy66xDW8JWGLf+vdxLBJwNe8I4b2irLyMOuTKlSJgYMQjZAaqkWWLA/d2RVi3SscCixj6B0m6dGyD1nKlhLmqjrzy92OXgtXIsv17uok9X8K8XcLAlWFJWK5rJgAgcL7lri6RobRoXRe9PjOZ5yt2/xg27WtX6kZSLGtVfniRVcJVYGmiFtt7pbrE7Y7MgLm0Mk6pzmVGFD8yxaUtkO/rDC55d6xSZ4dq3kiuVN8zD/PVyW3GuqA8bwzX/ss9bVacMKznaTLJ9ol82Svtef2YxsMzg8FDInV8xFz5d9xX2kBVyjdMYcCn5fzZPegc7U+lGrEnoR2KjTUUFjxRppI5WT+BZaQQ2G1Z7At87st56Ed1+wPOd0Oin3DtY7VM4Fjrcl946Sc/V4jGm2e+1Xa3UYEps6OvsclRzbI7Pvs1SICqI25ZiXH1IhJ7AnD8igU41t+avUBr3DZMnEiEmX40SS45s+rT8JyPQvFbXiw+pHrsmZPkNvc1yiz/APpx/lUri6038OH0+0xCtqNSdOsUJfKqo2CHoQ6lIKTWuNKlycavebwW+mkZe+Bx6xkBWru0AKt33Xl28cz3pLE6C6ZaAPvjnqoZjClKe0DrM+j9etpTtNjKxt6B9eppGqhAjasfp58/K4yLNrIzVSY+chZt7CTH8QGK2ZyOVaI11SwuaM2E+eh+oEfZ7s8ILY7Tl8tzk36Cl0hKWCbJ8hCF0+a1ELVQLe8bd0gckGfdLdxrdNBLboF9JGz661K0xgsI+89m1TC1CBWjVgMvsiDije9AEIVP93Kk2hnGdIvu620yvUY915nXod2DHsMMho/jdHbHaavN6xrfoMX+96r2XdJWx9vAvocDfTOOyagEH3bLYJme4YBicUbkixv/gZygZijgQcrXCDLed0zoT31YNwgq5+BS5Hmg4CdkcViiXCbeuA6al/sQVj47NNvXffS2mkN2XjwzYGk2UxcQv87apAcDSwjtrHkWTIy4yJeBPEot4Nu2UoKkz7eAaEVLtsB47FtdHelvcHpnYOsE779u3BusSq5in75+fbrayXbNBKHdnbYW1Zl/x+0PZM9Jklrq2FVJt0B/5XXWLxt70dY2pEul3Ua/U89DRZsvz1BUDfs7cHU4kGu6r7re/e1SgXZFQYJctjREcuq9nAuXAQj/s1rbVN95QjAI6uumPae3guixKLTXMf4drBOH1nr6yoss9QxsRchpUCrG9T1wjtkR89K7LGbE3TdkWff0mVI/BLxfkG/WeFOZszmqMLqHt2zsEgKms6y4iUt+yBgu6/0xly62/tZ8zHtPno3Wa34fCyMqByHznCdP9d/9As4afseHe088mfoY+b0m196zmwxHEnOH54is6zqM1ke2hbHJwjQj3Roba1fWSmcNU1ymUXO+dZLKWqvf0QYv7wduTIW71yIrNTTYsy7RyiHaSwK+/13NdoKikTaSJdpOw69jxQiU3YNUlEhnXMaH8LsPLl9JEhV4pHPOYW1Iin0hijWaVieUNaMDVVGV7Esym3oKM/T13QUdMfu6A91ycQLPTOUAGqVXzjxMKPxs2NordUtJcqE1ujcktMUUvYkbkfYVlQr174/z73KLzw/+HzmkJuf8ypCmfn+e08YPTcbaYdPAePa2vU2mA7uR+IZk0qJuZUqZG463Dfk+yrrfjvJX3QPTsBknVf4nnrGAJXCsLaMumVCiwxGftduri9ZbuPkEGs2n/6Bx0maI0P/GTlkqpp/BFWZ/cZT0/PYfTjM3QO64dRo8pM1CxlhM7nVPnhn7SThbmjOS9NGjpuEbJ14HbRJ7rVKXrnSbM/j/VK3r81Svi00Q37M+ytYbeJZMrVPy6RoAtpmDvAcon1yAQoTaZuK9Q6Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotpqio6PY3aqYefhwdtGylCdO6iq50AmRIlkrnrTsthgIYUqWS+kAHh9KWnpd2cXQDweld0mmSDImmM7iPIj+9gdTO3Y9RS3oeh+T9pecOHMdFqNY8W6V80fshVe/IDiKTZ5b1cBW9TaNOBZjdUm9RJ2pu8M12XEn7QQLZ+hPSEK+TCl3dvPnHu2t0bd8p9JsYmb6yxTZRJfUx2H5cyzC2IIbIkpJbfZQT+TAhnLYHWWjoXNOvs2kRBmmgfgThVgru0HKpYoOmkA+g5Do8mq4go0YD4GywqSab8NnGcoU5yx0jBpDoC8LJulrvEoRAsVu60X2xHYnz6wTSyLCXxpQ6YzCDNgloOMoUBCH4EdwmthB15YtUzGz23CgiiyJpn7gD8XZ4eIdQuAR/zRTlfUsztotlzbHItH6ogbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKlliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+zleRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XOOsWHayogkyBecURkYLQ0lhD+cad4Uh7hfU6pfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLaZPsOwXGHRcrDPsmp0EG8X8/fK366tr9A7fFUzkzVjv8LHavU2ehtkZojiyLb+Nwe52batRn8Ili9HTs12VYzafrmDzoYvw6y0nVzs6zjIvla8ufJdej8VODPl0h/LAvQLqHRf/7euGm8IckQ81ydi3G/wl1oR+oOxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/jbjmNxypg3N//rC/+158ykTc0rCH82ZomvMg4oMnvHWbxAWOdISjbClogumjdpYy35KYVFis/TN+hscUB+HAZLglJoKTVcI7eq1iFStLuSNPtlgToVp5aTUeP9RCVZSdabV3b/0UeqzuTXPsKav0YyatuGf0zmuuMngErxGc8w7tcfju+/srpvM/07mFadw/0ustDXwPapa3SG90Vwu2i/2rguoKNYDi/9gqv9twMA9eGFXgxTCDQ7NDO5bciesvYWL2nCDONRVyAFxfgIGdWVwB2pwfYFNlooOAuZk3IMWimQWH1VxGgqcnkIQRQAdCxp1QO/HJPLRtDHZfz45BFOT0CTX5j406WASlyYdTPbTpJn7PFBMT8BhO7k537O65IxsIlPAAT1g7z6nLmN59mM/0nWSwHAtl1iOWmD3YJBi+d1ry8rMZCXyLJyh7TAIt+3ZdwAOoEteJLxjcexGBWa1xUPEjX47GA0mpiBIr+PTTkzS0eMQLCjHpaZ5ZtjI9cyHOv4eDDxI1AEZXHy8/9cJdyMENPyUU2sAZEmQcLAPx2UkCncCBgOIYTVS8hHmO06L7IALM1ywc9RJqw5B7uO2sXz2OGw3HHyzFx9dzRLjpKvZEXiRJVaYGKqYNoxE5JQOuUYWGXlOSaUoVIKUSt5t6iFZsRVgWAat6QzBMs2Tu1/xg0zLFK++BXzw0++wAD9yhgPJvc0j0690OQgJ55/uw92LSGAO+ylPbguVDuRxPFpBg/hUaUckDidNG6UE9GkjtZ9IdUJSPKYdQAzfakWylZpnC9Un/Gmm4wBocHVrqkVfPQQ0rAiSohyXXkedvAV5iKQKtm44zSiERAJoXAiNmrAfiIkKqjs91EaenplKYbpbuIfb7aQMejxPOI/7rO+j6Znr1hPZbq5D9Q74Yb4DaIQR2Xx3UA9YX8nKMLHImNAGi0Hh2Em6KkBGA8hhPOJ7cQ703lQlZ+I2M3exLUUHGJk71AW8CwuVCgt1EBZy9kdEC0nxbr18eOODuu4Tl+z1Rdh16+ItPGfcBIZwBBePb4f41Q8zP+oOUVGXp/vvmaFFKRVWmyw+BjtgB3GJu/r+9aDCJ+s/0ScvHAa7A4PBlPAIy3dghrWOYbuy07QNst/hU7vPo76pXYg7143/oLtowAH3LKpmt1+fcvNIs1DT4hOeLQcVdaGGuStQlH9SoBYW7kINLuzvXWRV2kM9gPB1wT9dUdWfuXbambseCgPAIybF1psVl+fbLqz9bA+dOoNt2U5BAYAesDoTOb2Lt24X3C7ui8p4eLH3GSklWUYNZliAB4QyXPgn43Ix5vI7Iapkzba9Dj96V0oVSD6cZvU8lzpLd9cs+HteuFaWxpKZTA2P/gTKtNI0lsygDvCwMGQFzTSRUd8+VlDUhTlGCUPvTBoyQBftw2hQ4wHOlYTYuBrKe5xLZN0AzuUAzQDWLqlig05Zpy7eA7r/NOIxZecQDsMgrqioETjAt1RxSmdYp3DsANwDcFhRlTMy0hbpBBw83H43/J04uCKmeKxY49CDG8QBnIxJPA/0QL+DxkXJaaaX+OXPr+Jh4MCiHtiwyoT5Gis6bOx7mt7koKIO1PB95K58IRwEuW9IzEFr/ywsBKnAoZqJk7wtFuRelcVKSm3woNXfsariEF542X5q+kmW0B6eDlXan8LMXXija8YMxJu9bzjIjiXWy4xLeVvFi+GB9LCAUQ/wOBpRX5IDYyTO35Tl1AxHshy/uIOKelDDR54ie+XwhJU5pXlkwlM/onb3wpKQSkXWHgHmQdpjzNRzHw+0ll7j4MGL527aQ7D+tBXT3dYs/Mv/HwAA///ei04u" } diff --git a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml index 28ee08472495..55ded3a11e6a 100644 --- a/x-pack/filebeat/module/juniper/srx/_meta/fields.yml +++ b/x-pack/filebeat/module/juniper/srx/_meta/fields.yml @@ -11,26 +11,6 @@ description: > reason - - name: source_address - type: ip - description: > - source address - - - name: source_port - type: integer - description: > - source port - - - name: destination_address - type: ip - description: > - destination address - - - name: destination_port - type: integer - description: > - destination port - - name: connection_tag type: keyword description: > @@ -41,26 +21,6 @@ description: > service name - - name: nat_source_address - type: ip - description: > - nat source address - - - name: nat_source_port - type: integer - description: > - nat source port - - - name: nat_destination_address - type: ip - description: > - nat destination address - - - name: nat_destination_port - type: integer - description: > - nat destination port - - name: nat_connection_tag type: keyword description: > @@ -96,26 +56,6 @@ description: > policy name - - name: source_zone_name - type: keyword - description: > - source zone name - - - name: source_zone - type: keyword - description: > - source zone - - - name: destination_zone_name - type: keyword - description: > - destination zone name - - - name: destination_zone - type: keyword - description: > - destination zone - - name: session_id_32 type: keyword description: > @@ -126,41 +66,21 @@ description: > session id - - name: packets_from_client - type: integer - description: > - packets from client - - name: outbound_packets type: integer description: > packets from client - - name: bytes_from_client - type: integer - description: > - bytes from client - - name: outbound_bytes type: integer description: > bytes from client - - name: packets_from_server - type: integer - description: > - packets from server - - name: inbound_packets type: integer description: > packets from server - - name: bytes_from_server - type: integer - description: > - bytes from server - - name: inbound_bytes type: integer description: > @@ -191,11 +111,6 @@ description: > roles - - name: packet_incoming_interface - type: keyword - description: > - packet incoming interface - - name: encrypted type: keyword description: > @@ -211,16 +126,6 @@ description: > application sub category - - name: application_risk - type: integer - description: > - application risk - - - name: urlcategory_risk - type: integer - description: > - urlcategory risk - - name: application_characteristics type: keyword description: > @@ -296,11 +201,6 @@ description: > logical system name - - name: destination_interface_name - type: keyword - description: > - destination interface name - - name: profile_name type: keyword description: > @@ -496,11 +396,6 @@ description: > ruleebase name - - name: interface_name - type: keyword - description: > - interface name - - name: verdict_source type: keyword description: > @@ -511,11 +406,6 @@ description: > verdict number - - name: http_host - type: keyword - description: > - http host - - name: file_category type: keyword description: > From e97a8ae99f13f3c729f98b2314800605ab45e82f Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 24 Sep 2020 17:10:51 +0200 Subject: [PATCH 10/14] Missing update --- filebeat/docs/fields.asciidoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9b951858ee28..a2f190000957 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -88533,6 +88533,16 @@ type: integer url path +type: keyword + +-- + +*`juniper.srx.url`*:: ++ +-- +url domain + + type: keyword -- From 136548b56025963a567ceb60860cb6b60c5c9f71 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 2 Oct 2020 12:26:57 +0200 Subject: [PATCH 11/14] Fix var.tags and disable_host when forwarded --- .../test/generated.log-expected.json | 4 +- .../module/juniper/srx/config/srx.yml | 3 +- .../filebeat/module/juniper/srx/manifest.yml | 2 +- .../juniper/srx/test/atp.log-expected.json | 14 ++- .../juniper/srx/test/flow.log-expected.json | 107 ++++++++++++++---- .../juniper/srx/test/idp.log-expected.json | 21 ++-- .../juniper/srx/test/ids.log-expected.json | 50 ++++++-- .../srx/test/secintel.log-expected.json | 8 +- .../juniper/srx/test/utm.log-expected.json | 45 ++++++-- 9 files changed, 188 insertions(+), 66 deletions(-) diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index fb4fca25df2a..da17c3a5f761 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -2399,8 +2399,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.119.181.171", - "10.166.144.66" + "10.166.144.66", + "10.119.181.171" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "dol", diff --git a/x-pack/filebeat/module/juniper/srx/config/srx.yml b/x-pack/filebeat/module/juniper/srx/config/srx.yml index 725ad622fa0c..6af16945317c 100644 --- a/x-pack/filebeat/module/juniper/srx/config/srx.yml +++ b/x-pack/filebeat/module/juniper/srx/config/srx.yml @@ -20,7 +20,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/juniper/srx/manifest.yml b/x-pack/filebeat/module/juniper/srx/manifest.yml index 6cfd34855f77..879be66b99d4 100644 --- a/x-pack/filebeat/module/juniper/srx/manifest.yml +++ b/x-pack/filebeat/module/juniper/srx/manifest.yml @@ -4,7 +4,7 @@ var: - name: syslog_host default: localhost - name: tags - default: [juniper-srx, forwarded] + default: ["juniper.srx", "forwarded"] - name: syslog_port default: 9006 - name: input diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index efac461a7c0d..63329237a81f 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -8,6 +8,7 @@ "destination.geo.city_name": "Juazeiro do Norte", "destination.geo.continent_name": "South America", "destination.geo.country_iso_code": "BR", + "destination.geo.country_name": "Brazil", "destination.geo.location.lat": -7.1467, "destination.geo.location.lon": -39.247, "destination.geo.region_iso_code": "BR-CE", @@ -57,7 +58,8 @@ "source.port": 57116, "source.user.name": "user1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "www.mytest.com" }, @@ -100,7 +102,8 @@ "source.ip": "192.0.2.0", "source.user.name": "admin", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -142,7 +145,8 @@ "source.domain": "host.example.com", "source.ip": "192.0.2.0", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -197,12 +201,14 @@ "source.domain": "dummy_host", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": "1.1.1.1", "source.port": 60148, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index f1be33b90e09..b597ed2afc52 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -59,7 +59,8 @@ "source.nat.port": 594, "source.port": 594, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -114,7 +115,8 @@ "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -125,6 +127,7 @@ "destination.as.organization.name": "Telefonica Germany", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "5.6.7.8", @@ -171,6 +174,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -178,7 +182,8 @@ "source.ip": "1.2.3.4", "source.port": 56639, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -193,6 +198,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "5.6.7.8", @@ -255,6 +261,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -265,7 +272,8 @@ "source.packets": 1, "source.port": 63456, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -275,6 +283,7 @@ "client.port": 24065, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "30.0.0.100", @@ -326,6 +335,7 @@ "service.type": "juniper", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "50.0.0.100", @@ -333,7 +343,8 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -343,6 +354,7 @@ "client.port": 1, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "198.51.100.12", @@ -397,7 +409,8 @@ "source.nat.port": 1, "source.port": 1, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -410,6 +423,7 @@ "destination.bytes": 84, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "198.51.100.12", @@ -475,7 +489,8 @@ "source.packets": 1, "source.port": 1, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -490,6 +505,7 @@ "destination.bytes": 535, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.23.224.110", @@ -564,7 +580,8 @@ "source.packets": 6, "source.port": 47776, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -638,7 +655,8 @@ "source.packets": 13, "source.port": 53232, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -653,6 +671,7 @@ "destination.bytes": 136, "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", "destination.geo.location.lat": 20.0, "destination.geo.location.lon": 77.0, "destination.ip": "58.68.126.198", @@ -719,6 +738,7 @@ "source.geo.city_name": "Seogwipo", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "KR", + "source.geo.country_name": "South Korea", "source.geo.location.lat": 33.2486, "source.geo.location.lon": 126.5628, "source.geo.region_iso_code": "KR-49", @@ -729,7 +749,8 @@ "source.packets": 1, "source.port": 52890, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -744,6 +765,7 @@ "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -811,7 +833,8 @@ "source.packets": 1, "source.port": 62047, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -888,7 +911,8 @@ "source.packets": 0, "source.port": 9057, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -900,6 +924,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "207.17.137.56", @@ -954,6 +979,7 @@ "source.geo.city_name": "Plymouth", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.3695, "source.geo.location.lon": -83.4769, "source.geo.region_iso_code": "US-MI", @@ -963,7 +989,8 @@ "source.nat.port": 14406, "source.port": 3129, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -978,6 +1005,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "207.17.137.56", @@ -1041,6 +1069,7 @@ "source.geo.city_name": "Plymouth", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.3695, "source.geo.location.lon": -83.4769, "source.geo.region_iso_code": "US-MI", @@ -1051,7 +1080,8 @@ "source.packets": 1, "source.port": 3129, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1066,6 +1096,7 @@ "destination.bytes": 104, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "207.17.137.56", @@ -1131,6 +1162,7 @@ "source.geo.city_name": "Plymouth", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.3695, "source.geo.location.lon": -83.4769, "source.geo.region_iso_code": "US-MI", @@ -1141,7 +1173,8 @@ "source.packets": 3, "source.port": 3129, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1156,6 +1189,7 @@ "destination.bytes": 686432, "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 38.0, "destination.ip": "5.0.0.1", @@ -1223,6 +1257,7 @@ "source.bytes": 19592, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.0.0.1", @@ -1232,7 +1267,8 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1244,6 +1280,7 @@ "destination.as.organization.name": "Syrian Telecom", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 38.0, "destination.ip": "5.0.0.1", @@ -1305,6 +1342,7 @@ "source.as.organization.name": "Level 3 Parent, LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.0.0.1", @@ -1313,7 +1351,8 @@ "source.port": 33040, "source.user.name": "user1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1328,6 +1367,7 @@ "destination.bytes": 646, "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 38.0, "destination.ip": "5.0.0.1", @@ -1394,6 +1434,7 @@ "source.bytes": 392, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.0.0.1", @@ -1403,7 +1444,8 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1413,6 +1455,7 @@ "client.port": 24065, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "30.0.0.100", @@ -1464,6 +1507,7 @@ "service.type": "juniper", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "50.0.0.100", @@ -1471,7 +1515,8 @@ "source.nat.port": 24065, "source.port": 24065, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1526,7 +1571,8 @@ "source.ip": "10.0.0.26", "source.port": 37233, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1541,6 +1587,7 @@ "destination.bytes": 646, "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "SY", + "destination.geo.country_name": "Syria", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 38.0, "destination.ip": "5.0.0.1", @@ -1607,6 +1654,7 @@ "source.bytes": 392, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.0.0.1", @@ -1616,7 +1664,8 @@ "source.port": 48873, "source.user.name": "user1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1632,6 +1681,7 @@ "destination.geo.city_name": "Philippsburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 49.2317, "destination.geo.location.lon": 8.4607, "destination.geo.region_iso_code": "DE-BW", @@ -1700,7 +1750,8 @@ "source.packets": 42, "source.port": 58943, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1716,6 +1767,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -1794,7 +1846,8 @@ "source.packets": 161, "source.port": 64720, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1806,6 +1859,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1865,7 +1919,8 @@ "source.nat.port": 30838, "source.port": 49583, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -1880,6 +1935,7 @@ "destination.bytes": 82, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1950,7 +2006,8 @@ "source.packets": 1, "source.port": 63381, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index d3748888ec42..71555cd8d9a7 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -77,7 +77,8 @@ "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -158,7 +159,8 @@ "source.port": 12345, "source.user.name": "unknown-user", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -236,7 +238,8 @@ "source.packets": 0, "source.port": 45610, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -314,7 +317,8 @@ "source.packets": 0, "source.port": 45610, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -363,7 +367,8 @@ "server.port": 80, "service.type": "juniper", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -426,7 +431,8 @@ "source.ip": "192.168.14.214", "source.port": 50825, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -489,7 +495,8 @@ "source.ip": "193.168.14.214", "source.port": 50825, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index 82da837945a8..b5a317c3e8ea 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "Eli Lilly and Company", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "40.177.177.1", @@ -49,6 +50,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -56,7 +58,8 @@ "source.ip": "113.113.17.17", "source.port": 6000, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -102,7 +105,8 @@ "source.ip": "2000:0000:0000:0000:0000:0000:0000:0002", "source.port": 3240, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -113,6 +117,7 @@ "destination.as.organization.name": "Orange", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -155,12 +160,14 @@ "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": "1.1.1.2", "source.port": 40001, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -170,6 +177,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -215,6 +223,7 @@ "source.geo.city_name": "Wenzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 27.9983, "source.geo.location.lon": 120.6666, "source.geo.region_iso_code": "CN-ZJ", @@ -222,7 +231,8 @@ "source.ip": "111.1.1.3", "source.port": 40001, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -231,6 +241,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -274,13 +285,15 @@ "source.geo.city_name": "Wenzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 27.9983, "source.geo.location.lon": 120.6666, "source.geo.region_iso_code": "CN-ZJ", "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -289,6 +302,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -332,13 +346,15 @@ "source.geo.city_name": "Wenzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 27.9983, "source.geo.location.lon": 120.6666, "source.geo.region_iso_code": "CN-ZJ", "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -381,7 +397,8 @@ "service.type": "juniper", "source.ip": "1212::12", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -389,6 +406,7 @@ "client.ip": "12.12.12.1", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "11.11.11.1", @@ -430,11 +448,13 @@ "source.as.organization.name": "Alascom, Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "12.12.12.1", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -443,6 +463,7 @@ "destination.as.organization.name": "Orange", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -480,7 +501,8 @@ "server.ip": "2.2.2.2", "service.type": "juniper", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -523,13 +545,15 @@ "source.geo.city_name": "Wenzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 27.9983, "source.geo.location.lon": 120.6666, "source.geo.region_iso_code": "CN-ZJ", "source.geo.region_name": "Zhejiang", "source.ip": "111.1.1.3", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -575,7 +599,8 @@ "source.ip": "10.1.1.100", "source.port": 50630, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -621,7 +646,8 @@ "source.ip": "10.1.1.100", "source.port": 42799, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index dfb6b97ea124..54f827ece3c7 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -51,12 +51,14 @@ "source.as.organization.name": "OVH SAS", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": "5.196.121.161", "source.port": 1, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -113,12 +115,14 @@ "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": "1.1.1.1", "source.port": 36612, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "dummy_host" } diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index f35daf280201..3a19d2e1a99e 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", "destination.geo.location.lat": 22.25, "destination.geo.location.lon": 114.1667, "destination.ip": "103.235.46.39", @@ -48,7 +49,8 @@ "source.port": 58071, "source.user.name": "user01", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -61,6 +63,7 @@ "destination.as.organization.name": "Zayo Bandwidth", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "216.200.241.66", @@ -98,7 +101,8 @@ "source.port": 1402, "source.user.name": "user02", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "www.checkpoint.com", "url.path": "/css/homepage2012.css" @@ -147,12 +151,14 @@ "source.as.organization.name": "Hetzner Online GmbH", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "EICAR-Test-File" }, @@ -196,12 +202,14 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "74.125.155.147", "source.port": 80, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -241,7 +249,8 @@ "source.ip": "10.2.1.101", "source.port": 80, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -283,7 +292,8 @@ "source.ip": "10.10.10.1", "source.user.name": "user01", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -333,7 +343,8 @@ "source.port": 58071, "source.user.name": "user01@testuser.com", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] }, { @@ -344,6 +355,7 @@ "destination.as.organization.name": "Beijing Baidu Netcom Science and Technology Co., Ltd.", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", "destination.geo.location.lat": 22.25, "destination.geo.location.lon": 114.1667, "destination.ip": "103.235.46.39", @@ -385,7 +397,8 @@ "source.port": 58071, "source.user.name": "user01", "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "www.baidu.com", "url.path": "/" @@ -434,12 +447,14 @@ "source.as.organization.name": "Hetzner Online GmbH", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "188.40.238.250", "source.port": 80, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "EICAR-Test-File" }, @@ -451,6 +466,7 @@ "destination.as.organization.name": "Cloudflare, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.26.15.142", @@ -492,7 +508,8 @@ "source.ip": "10.1.1.100", "source.port": 58974, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "datawrapper.dwcdn.net", "url.path": "/" @@ -505,6 +522,7 @@ "destination.as.organization.name": "myLoc managed IT AG", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "85.114.159.93", @@ -549,7 +567,8 @@ "source.ip": "10.1.1.100", "source.port": 59075, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ], "url.domain": "dsp.adfarm1.adition.com", "url.path": "/" @@ -598,12 +617,14 @@ "source.as.organization.name": "Akamai Technologies, Inc.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.ip": "23.209.86.45", "source.port": 80, "tags": [ - "juniper-srx forwarded" + "juniper.srx", + "forwarded" ] } ] \ No newline at end of file From 2e5f9aad45c6a8e9a7770d539f6dc9af73f57bc0 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 2 Oct 2020 16:43:32 +0200 Subject: [PATCH 12/14] Add related fields --- .../module/juniper/srx/ingest/flow.yml | 20 ------ .../module/juniper/srx/ingest/pipeline.yml | 40 +++++++++++ .../juniper/srx/test/atp.log-expected.json | 26 +++++++ .../juniper/srx/test/idp.log-expected.json | 35 ++++++++++ .../juniper/srx/test/ids.log-expected.json | 46 +++++++++++++ .../srx/test/secintel.log-expected.json | 11 +++ .../juniper/srx/test/utm.log-expected.json | 68 +++++++++++++++++++ 7 files changed, 226 insertions(+), 20 deletions(-) diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml index d0bfcdb3035d..1a488a57bd8a 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -339,26 +339,6 @@ processors: if: "ctx?.client?.packets != null && ctx?.server?.packets != null" ignore_failure: true -######################### -## ECS Related Mapping ## -######################### -- append: - if: 'ctx?.source?.ip != null' - field: related.ip - value: '{{source.ip}}' -- append: - if: 'ctx?.destination?.ip != null' - field: related.ip - value: '{{destination.ip}}' -- append: - if: 'ctx?.source?.nat?.ip != null' - field: related.ip - value: '{{source.nat.ip}}' -- append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - value: '{{destination.nat.ip}}' - ############# ## Cleanup ## ############# diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index 2989ba7478f2..5bc4d45e82e5 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -229,6 +229,46 @@ processors: name: '{< IngestPipeline "secintel" >}' if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true +- append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true +- append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true +- append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + +- append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true +- append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true +- append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 63329237a81f..4187866594ed 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -51,6 +51,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "www.mytest.com" + ], + "related.ip": [ + "10.10.10.1", + "187.19.188.200" + ], "server.ip": "187.19.188.200", "server.port": 80, "service.type": "juniper", @@ -97,6 +104,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], "service.type": "juniper", "source.domain": "host.example.com", "source.ip": "192.0.2.0", @@ -141,6 +154,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "host.example.com" + ], + "related.ip": [ + "192.0.2.0" + ], "service.type": "juniper", "source.domain": "host.example.com", "source.ip": "192.0.2.0", @@ -193,6 +212,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], "server.ip": "10.0.0.1", "server.port": 80, "service.type": "juniper", diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index 71555cd8d9a7..7704c88fac07 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -61,6 +61,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], "rule.id": "3", "rule.name": "IPS", "server.bytes": 0, @@ -143,6 +149,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ], "rule.id": "3", "rule.name": "IPS", "server.bytes": 0, @@ -223,6 +235,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.111.1", + "0.0.0.0", + "172.19.13.11" + ], "rule.id": "9", "rule.name": "IPS", "server.bytes": 0, @@ -302,6 +320,12 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "183.78.180.27", + "118.127.30.11", + "0.0.0.0", + "172.16.1.10" + ], "rule.id": "9", "rule.name": "IPS", "server.bytes": 0, @@ -361,6 +385,9 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "172.27.14.203" + ], "rule.id": "1", "rule.name": "DDOS", "server.ip": "172.27.14.203", @@ -424,6 +451,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "192.168.14.214", + "172.27.14.203" + ], "rule.id": "1", "server.ip": "172.27.14.203", "server.port": 80, @@ -488,6 +519,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "193.168.14.214", + "172.30.20.201" + ], "rule.id": "1", "server.ip": "172.30.20.201", "server.port": 80, diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index b5a317c3e8ea..10abae2fa6d8 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -43,6 +43,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "113.113.17.17", + "40.177.177.1" + ], "server.ip": "40.177.177.1", "server.port": 1433, "service.type": "juniper", @@ -99,6 +103,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "2000:0000:0000:0000:0000:0000:0000:0002", + "2001:0000:0000:0000:0000:0000:0000:0002" + ], "server.ip": "2001:0000:0000:0000:0000:0000:0000:0002", "server.port": 139, "service.type": "juniper", @@ -153,6 +161,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "1.1.1.2", + "2.2.2.2" + ], "server.ip": "2.2.2.2", "server.port": 50010, "service.type": "juniper", @@ -215,6 +227,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], "server.ip": "3.4.2.2", "server.port": 53, "service.type": "juniper", @@ -278,6 +294,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], "server.ip": "3.4.2.2", "service.type": "juniper", "source.as.number": 56041, @@ -339,6 +359,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3", + "3.4.2.2" + ], "server.ip": "3.4.2.2", "service.type": "juniper", "source.as.number": 56041, @@ -393,6 +417,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "1212::12", + "1111::11" + ], "server.ip": "1111::11", "service.type": "juniper", "source.ip": "1212::12", @@ -442,6 +470,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "12.12.12.1", + "11.11.11.1" + ], "server.ip": "11.11.11.1", "service.type": "juniper", "source.as.number": 32328, @@ -498,6 +530,9 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "2.2.2.2" + ], "server.ip": "2.2.2.2", "service.type": "juniper", "tags": [ @@ -539,6 +574,9 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "111.1.1.3" + ], "service.type": "juniper", "source.as.number": 56041, "source.as.organization.name": "China Mobile communications corporation", @@ -593,6 +631,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], "server.ip": "10.1.1.1", "server.port": 10778, "service.type": "juniper", @@ -640,6 +682,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.1.1.100", + "10.1.1.1" + ], "server.ip": "10.1.1.1", "server.port": 7, "service.type": "juniper", diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index 54f827ece3c7..49667e85897a 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -44,6 +44,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "5.196.121.161", + "10.10.0.10" + ], "server.ip": "10.10.0.10", "server.port": 24039, "service.type": "juniper", @@ -108,6 +112,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "dummy_host" + ], + "related.ip": [ + "1.1.1.1", + "10.0.0.1" + ], "server.ip": "10.0.0.1", "server.port": 80, "service.type": "juniper", diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index 3a19d2e1a99e..f9890a6ca0f2 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -42,6 +42,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], "server.ip": "103.235.46.39", "server.port": 80, "service.type": "juniper", @@ -94,6 +101,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "www.checkpoint.com" + ], + "related.ip": [ + "10.10.10.50", + "216.200.241.66" + ], "server.ip": "216.200.241.66", "server.port": 80, "service.type": "juniper", @@ -144,6 +158,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], "server.ip": "10.1.1.103", "server.port": 47095, "service.type": "juniper", @@ -195,6 +216,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "74.125.155.147", + "10.1.1.103" + ], "server.ip": "10.1.1.103", "server.port": 33578, "service.type": "juniper", @@ -243,6 +268,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.2.1.101", + "10.1.1.103" + ], "server.ip": "10.1.1.103", "server.port": 51727, "service.type": "juniper", @@ -288,6 +317,9 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "10.10.10.1" + ], "service.type": "juniper", "source.ip": "10.10.10.1", "source.user.name": "user01", @@ -336,6 +368,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "192.0.2.3", + "198.51.100.2" + ], "server.ip": "198.51.100.2", "server.port": 80, "service.type": "juniper", @@ -390,6 +426,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "www.baidu.com" + ], + "related.ip": [ + "192.168.1.100", + "103.235.46.39" + ], "server.ip": "103.235.46.39", "server.port": 80, "service.type": "juniper", @@ -440,6 +483,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "EICAR-Test-File" + ], + "related.ip": [ + "188.40.238.250", + "10.1.1.103" + ], "server.ip": "10.1.1.103", "server.port": 47095, "service.type": "juniper", @@ -502,6 +552,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "datawrapper.dwcdn.net" + ], + "related.ip": [ + "10.1.1.100", + "104.26.15.142" + ], "server.ip": "104.26.15.142", "server.port": 443, "service.type": "juniper", @@ -561,6 +618,13 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.hosts": [ + "dsp.adfarm1.adition.com" + ], + "related.ip": [ + "10.1.1.100", + "85.114.159.93" + ], "server.ip": "85.114.159.93", "server.port": 443, "service.type": "juniper", @@ -610,6 +674,10 @@ "observer.product": "SRX", "observer.type": "firewall", "observer.vendor": "Juniper", + "related.ip": [ + "23.209.86.45", + "10.1.1.100" + ], "server.ip": "10.1.1.100", "server.port": 58954, "service.type": "juniper", From d643ea36e19c83832a33a46b20626c4a55f8e7ef Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 5 Oct 2020 20:06:08 +0200 Subject: [PATCH 13/14] Add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 279eda229a7c..f99bcb1ab559 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -605,6 +605,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add related.hosts ecs field to all modules {pull}21160[21160] - Keep cursor state between httpjson input restarts {pull}20751[20751] - Convert aws s3 to v2 input {pull}20005[20005] +- New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] *Heartbeat* From 25fc2a5823f4542bf38e8650a7dbddeff2f04c01 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 5 Oct 2020 21:37:27 +0200 Subject: [PATCH 14/14] Remove unused file --- filebeat/docs/modules/junipersrx.asciidoc | 141 ---------------------- 1 file changed, 141 deletions(-) delete mode 100644 filebeat/docs/modules/junipersrx.asciidoc diff --git a/filebeat/docs/modules/junipersrx.asciidoc b/filebeat/docs/modules/junipersrx.asciidoc deleted file mode 100644 index 767e9bf1c816..000000000000 --- a/filebeat/docs/modules/junipersrx.asciidoc +++ /dev/null @@ -1,141 +0,0 @@ -//// -This file is generated! See scripts/docs_collector.py -//// - -[[filebeat-module-junipersrx]] -[role="xpack"] - -:modulename: junipersrx -:has-dashboards: false - -== Juniper-SRX module - -This is a module for Juniper-SRX OS logs sent in the syslog format. - -The Juniper-SRX module only supports syslog messages in the format "structured-data + brief" https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html[JunOS Documentation structured-data] - -To configure a remote syslog destination, please reference the https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502[SRX Getting Started - Configure System Logging]. - -The following processes and tags are supported: - -[options="header"] -|============================================================== -| JunOS processes | JunOS tags | -| RT_FLOW | RT_FLOW_SESSION_CREATE | -| | RT_FLOW_SESSION_CLOSE | -| | RT_FLOW_SESSION_DENY | -| | APPTRACK_SESSION_CREATE | -| | APPTRACK_SESSION_CLOSE | -| | APPTRACK_SESSION_VOL_UPDATE | -| RT_IDS | RT_SCREEN_TCP | -| | RT_SCREEN_UDP | -| | RT_SCREEN_ICMP | -| | RT_SCREEN_IP | -| | RT_SCREEN_TCP_DST_IP | -| | RT_SCREEN_TCP_SRC_IP | -| RT_UTM | WEBFILTER_URL_PERMITTED | -| | WEBFILTER_URL_BLOCKED | -| | AV_VIRUS_DETECTED_MT | -| | CONTENT_FILTERING_BLOCKED_MT | -| | ANTISPAM_SPAM_DETECTED_MT | -| RT_IDP | IDP_ATTACK_LOG_EVENT | -| | IDP_APPDDOS_APP_STATE_EVENT | -| RT_AAMW | SRX_AAMW_ACTION_LOG | -| | AAMW_MALWARE_EVENT_LOG | -| | AAMW_HOST_INFECTED_EVENT_LOG | -| | AAMW_ACTION_LOG | -| RT_SECINTEL | SECINTEL_ACTION_LOG | -|============================================================== - - - -The syslog format choosen should be `Default`. - -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility - -This module has been tested against JunOS version 19.x and 20.x. -Versions above this are expected to work but have not been tested. - -include::../include/configuring-intro.asciidoc[] - -:fileset_ex: firewall - -include::../include/config-option-intro.asciidoc[] - -[float] -==== `firewall` fileset settings - -[source,yaml] ----- -- module: sophosxg - firewall: - enabled: true - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9006 ----- - -include::../include/var-paths.asciidoc[] - -*`var.input`*:: - -The input to use, can be either the value `tcp`, `udp` or `file`. - -*`var.syslog_host`*:: - -The interface to listen to all syslog traffic. Defaults to localhost. -Set to 0.0.0.0 to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to 9006. - - -[float] -==== JunOS ECS fields - -This is a list of JunOS fields that are mapped to ECS. - -[options="header"] -|============================================================== -| JunOS Fields | ECS Fields | -| application-risk | event.risk_score | -| bytes-from-client | source.bytes | -| bytes-from-server | destination.bytes | -| destination-interface-name | observer.egress.interface.name | -| destination-zone-name | observer.egress.zone | -| destination-address | destination.ip | -| destination-port | destination.port | -| dst_domainname | url.domain | -| elapsed-time | event.duration | -| filename | file.name | -| nat-destination-address | destination.nat.ip | -| nat-destination-port | destination.nat.port | -| nat-source-address | source.nat.ip | -| nat-source-port | source.nat.port | -| message | message | -| obj | url.path | -| packets-from-client | source.packets | -| packets-from-server | destination.packets | -| policy-name | rule.name | -| protocol | network.transport | -| source-address | source.ip | -| source-interface-name | observer.ingress.interface.name| -| source-port | source.port | -| source-zone-name | observer.ingress.zone | -| url | url.domain | -|============================================================== - - -:modulename!: - - -[float] -=== Fields - -For a description of each field in the module, see the -<> section. -