Commit f52e0ce9 authored by Arne Øslebø's avatar Arne Øslebø
Browse files

small fixes for supprting use case

parent 6b342c4d
......@@ -2164,7 +2164,7 @@
</property>
<property>
<name>routing-strategy</name>
<value>route-to-success</value>
<value>route-to-matched-unmatched</value>
</property>
<property>
<name>result-contents</name>
......@@ -2215,10 +2215,12 @@
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
<id>2a95cb88-0177-1000-ffff-ffffc8a50166</id>
<id>7802e325-0177-1000-0000-000042ea28cf</id>
<name />
<bendPoints />
<labelIndex>1</labelIndex>
<bendPoints>
<bendPoint x="-872.0" y="976.0" />
</bendPoints>
<labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>2cd2029e-53ae-3575-bf35-785203683c7f</sourceId>
<sourceGroupId>de2bc05d-fbd2-35bc-9192-b82041176492</sourceGroupId>
......@@ -2226,7 +2228,29 @@
<destinationId>ab8d073c-e5c0-314c-a094-6117f998b1e1</destinationId>
<destinationGroupId>de2bc05d-fbd2-35bc-9192-b82041176492</destinationGroupId>
<destinationType>OUTPUT_PORT</destinationType>
<relationship>success</relationship>
<relationship>unmatched</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
<loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
<partitioningAttribute />
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
<connection>
<id>7802b66d-0177-1000-0000-00004ea5646f</id>
<name />
<bendPoints>
<bendPoint x="-616.0" y="976.0" />
</bendPoints>
<labelIndex>0</labelIndex>
<zIndex>0</zIndex>
<sourceId>2cd2029e-53ae-3575-bf35-785203683c7f</sourceId>
<sourceGroupId>de2bc05d-fbd2-35bc-9192-b82041176492</sourceGroupId>
<sourceType>PROCESSOR</sourceType>
<destinationId>ab8d073c-e5c0-314c-a094-6117f998b1e1</destinationId>
<destinationGroupId>de2bc05d-fbd2-35bc-9192-b82041176492</destinationGroupId>
<destinationType>OUTPUT_PORT</destinationType>
<relationship>matched</relationship>
<maxWorkQueueSize>10000</maxWorkQueueSize>
<maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
<flowFileExpiration>0 sec</flowFileExpiration>
......@@ -3871,16 +3895,16 @@
<scheduledState>STOPPED</scheduledState>
</inputPort>
<outputPort>
<id>27d5dab2-0172-1000-ffff-ffffab5c50be</id>
<name>To data output</name>
<position x="-632.0" y="328.0" />
<id>27d5761b-0172-1000-0000-000059275dad</id>
<name>To enrichment</name>
<position x="-312.0" y="328.0" />
<comments />
<scheduledState>STOPPED</scheduledState>
</outputPort>
<outputPort>
<id>27d5761b-0172-1000-0000-000059275dad</id>
<name>To enrichment</name>
<position x="-312.0" y="328.0" />
<id>27d5dab2-0172-1000-ffff-ffffab5c50be</id>
<name>To data output</name>
<position x="-632.0" y="328.0" />
<comments />
<scheduledState>STOPPED</scheduledState>
</outputPort>
......@@ -9004,7 +9028,7 @@
</property>
<property>
<name>generate-ff-custom-text</name>
<value>[{"stream": 0,"flow": {"bytes_toserver": 74,"bytes_toclient": 0,"start": "${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","pkts_toserver": 1,"pkts_toclient": 0},"vlan": 665,"ip_dst_port": 54323,"in_iface": "ens1f3","payload": "","timestamp": "${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","proto": "TCP","event_type": "alert","alert": {"category": "Not Suspicious Traffic","severity": 3,"action": "allowed","gid": 1,"signature_id": 29999991,"rev": 1,"signature": "SOC TEST1"},"payload_printable": "","ip_src_addr": "10.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}","ip_src_port": 43844,"ip_dst_addr": "10.0.0.${random():mod(254):plus(1)}","host":"nifi.soctools.geant.org","host_domain":"geant.org"},
<value>[{"stream": 0,"flow": {"bytes_toserver": 74,"bytes_toclient": 0,"start": "${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","pkts_toserver": 1,"pkts_toclient": 0},"vlan": 665,"in_iface": "ens1f3","payload": "","timestamp": "${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","proto": "TCP","event_type": "alert","alert": {"category": "Not Suspicious Traffic","severity": 3,"action": "allowed","gid": 1,"signature_id": 29999991,"rev": 1,"signature": "SOC TEST1"},"payload_printable": "","source":{"ip":"10.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}","port": 43844},"destination":{"ip":"10.0.0.${random():mod(254):plus(1)}","port":"54323"},"host":"nifi.soctools.geant.org","host_domain":"geant.org"},
{"timestamp":"${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","alert":{"action":"allowed","category":"Potentially Bad Traffic","gid":1,"metadata":{"affected_product":["Any"],"attack_target":["Client_Endpoint"],"created_at":["2019_07_26"],"deployment":["Perimeter"],"former_category":["DNS"],"signature_severity":["Minor"],"updated_at":["2019_09_28"]},"rev":3,"severity":2,"signature":"ET DNS Query for .cc TLD","signature_id":2027758},"app_proto":"dns","destination":{"ip":"10.10.10.${random():mod(254):plus(1)}","port":53},"dns":{"query":[{"id":37261,"rrname":"example.evil","rrtype":"A","tx_id":2,"type":"query"}]},"event_type":"alert","flow":{"bytes_toclient":1039,"bytes_toserver":343,"pkts_toclient":2,"pkts_toserver":3,"start":"${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}"},"flow_id":1889254052511234,"in_iface":"if1","payload":"kY0BAAABAAAAAAABBnN0YXRpYwdhcmR1aW5vAmNjAAABAAEAACkPoAAAgAAAAA==","payload_printable":".............example.evil.......)........","proto":"UDP","source":{"ip":"10.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}","port":64164},"stream":0,"tx_id":2},
{"timestamp":"${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}","TLP":"AMBER","alert":{"action":"allowed","category":"Attempted Information Leak","gid":1,"metadata":{"created_at":["2014_10_15"],"former_category":["CURRENT_EVENTS"],"updated_at":["2014_10_15"]},"rev":6,"severity":2,"signature":"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)","signature_id":2019418},"app_proto":"tls","destination":{"ip":"10.10.10.${random():mod(10):plus(1)}","port":37220},"event_type":"alert","flow":{"bytes_toclient":247,"bytes_toserver":298,"pkts_toclient":4,"pkts_toserver":4,"start":"${now():format('yyyy-MM-dd HH:mm:ss.SSS'):replaceFirst(' ','T')}"},"flow_id":43047386649621,"payload":"FQMAAAICKA==","payload_printable":"......(","proto":"TCP","source":{"ip":"10.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}.${random():mod(254):plus(1)}","port":443},"stream":1,"tls":{"ja3":{},"version":"SSLv3"},"tx_id":0}]</value>
</property>
......@@ -9458,7 +9482,7 @@
</property>
<property>
<name>Password</name>
<value>enc{fe16f9929f6406cddb4bd76ce65cd921c54d473e22a0b270cf5d3928e20c6d668988cec4c468fd5bb45ecfcc18879950}</value>
<value>enc{907d07dbc9a93739b87296d143791fa32517e337630f9e98716909aae03b3cbd1e1c116bc9bbe793879e5d5d8d5b2724}</value>
</property>
<property>
<name>elasticsearch-http-connect-timeout</name>
......@@ -11952,7 +11976,7 @@
</property>
<property>
<name>Truststore Password</name>
<value>enc{fc071bc2a657baab96c3afa45b3e5b04e45b1071892e2263b922ab36c1d4feb0}</value>
<value>enc{4e264a7abbb4164f1c4fac0757c23fe630b181bc223b6c985c7de2c09ef870dc}</value>
</property>
<property>
<name>Truststore Type</name>
......@@ -12171,7 +12195,7 @@
</property>
<property>
<name>Maximum Cache Entries</name>
<value>10000</value>
<value>50000</value>
</property>
<property>
<name>Eviction Strategy</name>
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -11,7 +11,9 @@ r=open(args.graphsfile,"r")
w=open(args.templatefile,"w")
for line in r:
w.write(re.sub(r'(^.*thehive_button\\\",\\\"params\\\":{\\\"url\\\":\\\")[^\\"]*(.*apikey\\\":\\\")[^\\\"]*(.*owner\\\":\\\")[^\\"]*(.*$)',"\g<1>{{THEHIVE_URL}}\g<2>{{THEHIVE_API_KEY}}\g<3>{{THEHIVE_OWNER}}\g<4>",line))
line=re.sub(r'(^.*thehive_button\\\",\\\"params\\\":{\\\"url\\\":\\\")[^\\"]*(.*apikey\\\":\\\")[^\\\"]*(.*owner\\\":\\\")[^\\"]*(.*$)',"\g<1>{{THEHIVE_URL}}\g<2>{{THEHIVE_API_KEY}}\g<3>{{THEHIVE_OWNER}}\g<4>",line)
line=re.sub(r"(^.*)https:\/\/[^\/]*(.*destination\.ip_misp\.keyword.*$)","\g<1>{{misp_url}}\g<2>",line)
w.write(line)
r.close()
w.close()
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment