diff --git a/docs/sources/vendor/OPSWAT/metadefender_core.md b/docs/sources/vendor/OPSWAT/metadefender_core.md new file mode 100644 index 0000000000..d6d69b7f26 --- /dev/null +++ b/docs/sources/vendor/OPSWAT/metadefender_core.md @@ -0,0 +1,28 @@ +# Metadefender Core + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | None | +| Product Manual | https://www.opswat.com/docs/mdcore/configuration/syslog-message-format | + + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| opswat:mscl:cef | None +| opswat:mscw:cef | None | + +## Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| opswat_mscl_cef | opswat:mscl:cef | netwaf | none | +| opswat_mscw_cef | opswat:mscw:cef | netwaf | none | diff --git a/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf new file mode 100644 index 0000000000..b308df8227 --- /dev/null +++ b/package/enterprise/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -0,0 +1,20 @@ +block parser app-cef-opswat() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + }; + parser { app-cef-opswat(); }; +}; diff --git a/package/etc/conf.d/conflib/cef/app-cef-opswat.conf b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf new file mode 100644 index 0000000000..de2484ccad --- /dev/null +++ b/package/etc/conf.d/conflib/cef/app-cef-opswat.conf @@ -0,0 +1,20 @@ +block parser app-cef-opswat-mscl() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat-mscl[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + }; + parser { app-cef-opswat-mscl(); }; +}; diff --git a/package/lite/etc/addons/opswat/addon_metadata.yaml b/package/lite/etc/addons/opswat/addon_metadata.yaml new file mode 100644 index 0000000000..3343b61de0 --- /dev/null +++ b/package/lite/etc/addons/opswat/addon_metadata.yaml @@ -0,0 +1,2 @@ +--- +name: "opswat" diff --git a/package/lite/etc/addons/opswat/app-cef-opswat.conf b/package/lite/etc/addons/opswat/app-cef-opswat.conf new file mode 100644 index 0000000000..de2484ccad --- /dev/null +++ b/package/lite/etc/addons/opswat/app-cef-opswat.conf @@ -0,0 +1,20 @@ +block parser app-cef-opswat-mscl() { + channel { + rewrite { + r_set_splunk_dest_default( + index('netwaf'), + vendor('opswat'), + product('${.metadata.cef.device_product}'), + source('opswat:$(lowercase ${.metadata.cef.device_product})'), + sourcetype('opswat:$(lowercase ${.metadata.cef.device_product}):cef') + ); + }; + }; +}; + +application app-cef-opswat-mscl[cef] { + filter{ + match("OPSWAT" value(".metadata.cef.device_vendor")) + }; + parser { app-cef-opswat-mscl(); }; +}; diff --git a/package/lite/etc/config.yaml b/package/lite/etc/config.yaml index 17e438262a..01d4da1a3f 100644 --- a/package/lite/etc/config.yaml +++ b/package/lite/etc/config.yaml @@ -87,3 +87,4 @@ addons: - aviatrix - veeam - suricata + - opswat diff --git a/tests/test_opswat.py b/tests/test_opswat.py new file mode 100644 index 0000000000..b2254f44f0 --- /dev/null +++ b/tests/test_opswat.py @@ -0,0 +1,44 @@ +# Copyright 2023 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import datetime +import pytest + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + + +@pytest.mark.addons("opswat") +def test_opswat( + record_property, setup_splunk, setup_sc4s, get_host_key +): + host = get_host_key + mt = env.from_string( + "{{ mark }}{{ bsd }} {{ host }} OPSWATPC CEF:0|OPSWAT|MSCL|4.16.0|core.network|MSCL[7548] New maximum agent count is set|2|maxAgentCount='1' msgid=665" + ) + dt = datetime.datetime.now(datetime.timezone.utc) + _, bsd, _, _, _, _, epoch = time_operations(dt) + message = mt.render(mark="<134>", bsd=bsd, host=host) + + # Tune time functions + epoch = epoch[:-7] + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netwaf sourcetype="opswat:mscl:cef" earliest={{ epoch }}' + ) + search = st.render(epoch=epoch) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 \ No newline at end of file