# /opt/momentum_client/bin/show_config.pl
[[[ momentum syslog integration configuration ]]]
[[ version ]]
version : "momentum SYSLOG integration v3.00.00"
[[ device ]]
[device id : 1]
[device info]
device type : "non_filter"
log format : "ssv" (space-separated variables)
[pcap download params]
[device id : 2]
[device info]
device type : "palo_alto_5tuple"
log format : "csv" (comma-separated variables)
time format : "%Y/%m/%d %H:%M:%S"
[pcap download params]
time : "1"
protocol : "29"
ipsrc : "7"
ipdst : "8"
portsrc : "24"
portdst : "25"
[device id : 3]
[device info]
device type : "palo_alto_iponly"
log format : "csv" (comma-separated variables)
time format : "%Y/%m/%d %H:%M:%S"
[pcap download params]
time : "1"
ipsrc : "7"
ipdst : "8"
[device id : 4]
[device info]
device type : "tippintpoint_4tuple"
log format : "cef" (CEF variables)
time format : "msec"
[pcap download params]
time : "2_rt"
ipsrc : "2_src"
ipdst : "2_dst"
portsrc : "2_spt"
portdst : "2_dpt"
[device id : 5]
[device info]
device type : "lastline_iponly"
log format : "cef" (CEF variables)
time format : "%b %e %Y %H:%M:%S UTC"
[pcap download params]
start : "2_start"
end : "2_end"
ipsrc : "2_src"
ipdst : "2_dst"
[[ pcap timing ]]
sleep time : "15" (sec)
diff time : "60" (sec)
duration : "65" (sec)
# [ image of pcap timing ]
# default: [sleeptime: 15; diff_time: 60; duration: 65;]
# sleeptime : Time to wait for processing of present packet
# (If it's received in 9:10:11, it begins at 9:10:26.)
#
# diff_time(x - diff_time) syslog receive timing(x)
# |(ex: 09:09:11) |(ex: 09:10:11)
# v v
# ############################################
# ^ ^
# |<----------- duration --------------->|
# start(x - diff_time) end(x - diff_time + duration)
# (ex: 09:09:11) (ex: 09:10:16)
[[ pcap cleaner ]]
clean time : "180" (day)
[[ disk check ]]
facility : "local6"
threshold : "90" (%)
[[ debug output ]]
facility : "local6"
state : "off"
[[ pss check ]]
facility : "local6"
[[ pss access ]]
mode : "psbcq"
[[ psbcq ]]
psbcq_ip : "localhost"
psbcq_port : "5111"
log_info : "0"
log_queue : "0"
log_pscli : "0"
log_pscli_detail : "0"
[[ swatch config ]]
[ /opt/momentum_client/conf/local0.conf ]
watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
threshold track_by=$1:$2,type=limit,count=1,seconds=60
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 172.16.182.108 2"
watchfor /CEF.+TippingPoint.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/
threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 172.16.180.110 4"
watchfor /CEF.+Lastline.+ (src|dst)=([^ ]+) .* (src|dst)=([^ ]+)/
threshold track_by=$2:$4,type=limit,count=1,seconds=60
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 172.16.180.110 5"
[ /opt/momentum_client/conf/local1.conf ]
watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
threshold track_by=$1:$2,type=limit,count=1,seconds=60
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 172.16.182.109 2"
#
コメント