microsoft
/
AzureNetworkWatcherNSGFlowLogsConnector
зеркало из https://github.com/microsoft/AzureNetworkWatcherNSGFlowLogsConnector.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into splunk

This commit is contained in:
Greg Oliver 2018-08-23 14:08:19 +01:00 коммит произвёл GitHub
Родитель 2af88df1d8 9531feff2a
Коммит 363df5a0ae
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 2013 добавлений и 33 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
NwNsgProject/Stage3QueueTrigger.cs
Просмотреть файл

@ -174,21 +174,23 @@ namespace NwNsgProject
string cefRecordBase = "";
foreach (var record in logs.records)
{
float version = record.properties.Version;
cefRecordBase = record.MakeCEFTime();
cefRecordBase += "|Microsoft.Network";
cefRecordBase += "|NETWORKSECURITYGROUPS";
cefRecordBase += "|" + record.properties.Version.ToString("0.0");
cefRecordBase += "|" + version.ToString("0.0");
cefRecordBase += "|" + record.category;
cefRecordBase += "|" + record.operationName;
cefRecordBase += "|1"; // severity is always 1
cefRecordBase += "|deviceExternalId=" + record.MakeDeviceExternalID();
int count = 1;
foreach (var outerFlows in record.properties.flows)
{
// expectation is that there is only ever 1 item in record.properties.flows
string cefOuterFlowRecord = cefRecordBase;
cefOuterFlowRecord += String.Format(" cs{0}=", count) + outerFlows.rule;
cefOuterFlowRecord += String.Format(" cs{0}Label=NSGRuleName", count++);
cefOuterFlowRecord += String.Format(" cs1={0}", outerFlows.rule);
cefOuterFlowRecord += String.Format(" cs1Label=NSGRuleName");
foreach (var innerFlows in outerFlows.flows)
{
@ -197,7 +199,7 @@ namespace NwNsgProject
var firstFlowTupleEncountered = true;
foreach (var flowTuple in innerFlows.flowTuples)
{
var tuple = new NSGFlowLogTuple(flowTuple);
var tuple = new NSGFlowLogTuple(flowTuple, version);
if (firstFlowTupleEncountered)
{

96
NwNsgProject/classes.cs
Просмотреть файл

@ -6,6 +6,8 @@ using Newtonsoft.Json;
class NSGFlowLogTuple
{
float schemaVersion;
string startTime;
string sourceAddress;
string destinationAddress;
@ -15,8 +17,17 @@ class NSGFlowLogTuple
string deviceDirection;
string deviceAction;
public NSGFlowLogTuple(string tuple)
// version 2 tuple properties
string flowState;
string packetsStoD;
string bytesStoD;
string packetsDtoS;
string bytesDtoS;
public NSGFlowLogTuple(string tuple, float version)
{
schemaVersion = version;
char[] sep = new char[] { ',' };
string[] parts = tuple.Split(sep);
startTime = parts[0];
@ -27,6 +38,18 @@ class NSGFlowLogTuple
transportProtocol = parts[5];
deviceDirection = parts[6];
deviceAction = parts[7];
if (version >= 2.0)
{
flowState = parts[8];
if (flowState != "B")
{
packetsStoD = parts[9];
bytesStoD = parts[10];
packetsDtoS = parts[11];
bytesDtoS = parts[12];
}
}
}
public string GetDirection
@ -36,17 +59,43 @@ class NSGFlowLogTuple
public override string ToString()
{
string temp = "";
temp += "rt=" + (Convert.ToUInt64(startTime) * 1000).ToString();
temp += " src=" + sourceAddress;
temp += " dst=" + destinationAddress;
temp += " spt=" + sourcePort;
temp += " dpt=" + destinationPort;
temp += " proto=" + (transportProtocol == "U" ? "UDP" : "TCP");
temp += " deviceDirection=" + (deviceDirection == "I" ? "0" : "1");
temp += " act=" + deviceAction;
var temp = new StringBuilder();
temp.Append("rt=").Append((Convert.ToUInt64(startTime) * 1000).ToString());
temp.Append(" src=").Append(sourceAddress);
temp.Append(" dst=").Append(destinationAddress);
temp.Append(" spt=").Append(sourcePort);
temp.Append(" dpt=").Append(destinationPort);
temp.Append(" proto=").Append((transportProtocol == "U" ? "UDP" : "TCP"));
temp.Append(" deviceDirection=").Append((deviceDirection == "I" ? "0" : "1"));
temp.Append(" act=").Append(deviceAction);
return temp;
if (schemaVersion >= 2.0)
{
// add fields from version 2 schema
temp.Append(" cs2=").Append(flowState);
temp.Append(" cs2Label=FlowState");
if (flowState != "B")
{
temp.Append(" cn1=").Append(packetsStoD);
temp.Append(" cn1Label=PacketsStoD");
temp.Append(" cn2=").Append(packetsDtoS);
temp.Append(" cn2Label=PacketsDtoS");
if (deviceDirection == "I")
{
temp.Append(" bytesIn={0}").Append(bytesStoD);
temp.Append(" bytesOut={0}").Append(bytesDtoS);
}
else
{
temp.Append(" bytesIn={0}").Append(bytesDtoS);
temp.Append(" bytesOut={0}").Append(bytesStoD);
}
}
}
return temp.ToString();
}
public string JsonSubString()
@ -72,24 +121,15 @@ class NSGFlowLogsInnerFlows
public string MakeMAC()
{
//string temp = "";
//temp += mac.Substring(0, 2) + ":";
//temp += mac.Substring(2, 2) + ":";
//temp += mac.Substring(4, 2) + ":";
//temp += mac.Substring(6, 2) + ":";
//temp += mac.Substring(8, 2) + ":";
//temp += mac.Substring(10, 2);
var temp = new StringBuilder();
temp.Append(mac.Substring(0, 2)).Append(":");
temp.Append(mac.Substring(2, 2)).Append(":");
temp.Append(mac.Substring(4, 2)).Append(":");
temp.Append(mac.Substring(6, 2)).Append(":");
temp.Append(mac.Substring(8, 2)).Append(":");
temp.Append(mac.Substring(10, 2));
//return temp;
var sb = new StringBuilder();
sb.Append(mac.Substring(0, 2)).Append(":");
sb.Append(mac.Substring(2,2)).Append(":");
sb.Append(mac.Substring(4,2)).Append(":");
sb.Append(mac.Substring(6,2)).Append(":");
sb.Append(mac.Substring(8,2)).Append(":");
sb.Append(mac.Substring(10,2)).Append(":");
return sb.ToString();
return temp.ToString();
}
}

3
NwNsgProject/sampleCefV1Output.txt Normal file
Просмотреть файл

@ -0,0 +1,3 @@
Jul 18 13:36:34 host CEF:0|Microsoft.Network|NETWORKSECURITYGROUPS|1.0|NetworkSecurityGroupFlowEvent|NetworkSecurityGroupFlowEvents|1|deviceExternalId=743F6ED6-83A8-46F0-822D-EA93B953952D/WADRG/WADVM-NSG cs1=DefaultRule_DenyAllInBound cs1Label=NSGRuleName dmac=00:0D:3A:0A:F5:19 rt=1531917335000 src=122.222.24.18 dst=10.0.0.4 spt=61691 dpt=3128 proto=TCP deviceDirection=0 act=D
Jul 18 13:36:34 host CEF:0|Microsoft.Network|NETWORKSECURITYGROUPS|1.0|NetworkSecurityGroupFlowEvent|NetworkSecurityGroupFlowEvents|1|deviceExternalId=743F6ED6-83A8-46F0-822D-EA93B953952D/WADRG/WADVM-NSG cs1=DefaultRule_DenyAllInBound cs1Label=NSGRuleName dmac=00:0D:3A:0A:F5:19 rt=1531917338000 src=122.222.24.18 dst=10.0.0.4 spt=61691 dpt=3128 proto=TCP deviceDirection=0 act=D
Jul 18 13:36:34 host CEF:0|Microsoft.Network|NETWORKSECURITYGROUPS|1.0|NetworkSecurityGroupFlowEvent|NetworkSecurityGroupFlowEvents|1|deviceExternalId=743F6ED6-83A8-46F0-822D-EA93B953952D/WADRG/WADVM-NSG cs1=DefaultRule_DenyAllInBound cs1Label=NSGRuleName dmac=00:0D:3A:0A:F5:19 rt=1531917342000 src=185.208.209.70 dst=10.0.0.4 spt=49825 dpt=921 proto=TCP deviceDirection=0 act=D

76
NwNsgProject/sampleJsonInput.json Normal file
Просмотреть файл

@ -0,0 +1,76 @@
{
"records": [
{
"time": "2018-07-18T12:36:34.6259876Z",
"systemId": "b54f041a-a9ad-4dc1-b847-e6d2d3b7b309",
"category": "NetworkSecurityGroupFlowEvent",
"resourceId": "/SUBSCRIPTIONS/743F6ED6-83A8-46F0-822D-EA93B953952D/RESOURCEGROUPS/WADRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WADVM-NSG",
"operationName": "NetworkSecurityGroupFlowEvents",
"properties": {
"Version": 1,
"flows": [
{
"rule": "DefaultRule_DenyAllInBound",
"flows": [
{
"mac": "000D3A0AF519",
"flowTuples": [ "1531917335,122.222.24.18,10.0.0.4,61691,3128,T,I,D", "1531917338,122.222.24.18,10.0.0.4,61691,3128,T,I,D", "1531917342,185.208.209.70,10.0.0.4,49825,921,T,I,D", "1531917344,122.222.24.18,10.0.0.4,61691,3128,T,I,D", "1531917355,180.14.239.228,10.0.0.4,52062,3128,T,I,D", "1531917358,180.14.239.228,10.0.0.4,52062,3128,T,I,D", "1531917364,180.14.239.228,10.0.0.4,52062,3128,T,I,D", "1531917369,185.255.31.247,10.0.0.4,43729,4452,T,I,D", "1531917371,222.228.49.37,10.0.0.4,64267,3128,T,I,D", "1531917374,222.228.49.37,10.0.0.4,64267,3128,T,I,D", "1531917375,5.188.86.36,10.0.0.4,56374,38090,T,I,D", "1531917380,222.228.49.37,10.0.0.4,64267,3128,T,I,D", "1531917382,185.143.223.152,10.0.0.4,47968,5048,T,I,D" ]
}
]
},
{
"rule": "DefaultRule_AllowInternetOutBound",
"flows": [
{
"mac": "000D3A0AF519",
"flowTuples": [ "1531917387,10.0.0.4,13.79.239.69,123,123,U,O,A" ]
}
]
}
]
}
},
{
"time": "2018-07-18T12:37:34.6270738Z",
"systemId": "b54f041a-a9ad-4dc1-b847-e6d2d3b7b309",
"category": "NetworkSecurityGroupFlowEvent",
"resourceId": "/SUBSCRIPTIONS/743F6ED6-83A8-46F0-822D-EA93B953952D/RESOURCEGROUPS/WADRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WADVM-NSG",
"operationName": "NetworkSecurityGroupFlowEvents",
"properties": {
"Version": 1,
"flows": [
{
"rule": "DefaultRule_DenyAllInBound",
"flows": [
{
"mac": "000D3A0AF519",
"flowTuples": [ "1531917396,222.228.65.36,10.0.0.4,54052,3128,T,I,D", "1531917399,222.228.65.36,10.0.0.4,54052,3128,T,I,D", "1531917400,196.52.43.103,10.0.0.4,6712,161,U,I,D", "1531917402,146.185.222.12,10.0.0.4,51661,28038,T,I,D", "1531917405,222.228.65.36,10.0.0.4,54052,3128,T,I,D", "1531917418,180.14.239.228,10.0.0.4,50022,3128,T,I,D", "1531917421,180.14.239.228,10.0.0.4,50022,3128,T,I,D", "1531917427,180.14.239.228,10.0.0.4,50022,3128,T,I,D", "1531917432,119.241.208.249,10.0.0.4,62824,3128,T,I,D", "1531917435,119.241.208.249,10.0.0.4,62824,3128,T,I,D", "1531917441,119.241.208.249,10.0.0.4,62824,3128,T,I,D" ]
}
]
}
]
}
},
{
"time": "2018-07-18T12:38:34.6291132Z",
"systemId": "b54f041a-a9ad-4dc1-b847-e6d2d3b7b309",
"category": "NetworkSecurityGroupFlowEvent",
"resourceId": "/SUBSCRIPTIONS/743F6ED6-83A8-46F0-822D-EA93B953952D/RESOURCEGROUPS/WADRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WADVM-NSG",
"operationName": "NetworkSecurityGroupFlowEvents",
"properties": {
"Version": 1,
"flows": [
{
"rule": "DefaultRule_DenyAllInBound",
"flows": [
{
"mac": "000D3A0AF519",
"flowTuples": [ "1531917456,222.228.50.218,10.0.0.4,62649,3128,T,I,D", "1531917459,222.228.50.218,10.0.0.4,62649,3128,T,I,D", "1531917465,222.228.50.218,10.0.0.4,62649,3128,T,I,D", "1531917473,222.228.50.218,10.0.0.4,50077,3128,T,I,D", "1531917476,222.228.50.218,10.0.0.4,50077,3128,T,I,D", "1531917478,149.202.30.2,10.0.0.4,40361,30831,T,I,D", "1531917482,222.228.50.218,10.0.0.4,50077,3128,T,I,D", "1531917486,188.19.53.164,10.0.0.4,1283,23,T,I,D", "1531917487,193.34.145.109,10.0.0.4,53743,50802,T,I,D", "1531917488,222.228.49.37,10.0.0.4,53332,3128,T,I,D", "1531917491,222.228.49.37,10.0.0.4,53332,3128,T,I,D", "1531917497,222.228.49.37,10.0.0.4,53332,3128,T,I,D", "1531917510,180.14.239.228,10.0.0.4,54716,3128,T,I,D" ]
}
]
}
]
}
}
]
}

1859
NwNsgProject/sampleOfInputV1.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу