Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.metron.parsing.parsers; import com.google.common.base.Joiner; import com.google.common.collect.ArrayListMultimap; import com.google.common.collect.Multimap; import org.apache.commons.lang3.StringUtils; import org.apache.metron.parsing.utils.ParserUtils; import org.json.simple.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.text.ParseException; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; public class BasicFireEyeParser extends BasicParser { private static final long serialVersionUID = 6328907550159134550L; protected static final Logger LOG = LoggerFactory.getLogger(BasicFireEyeParser.class); String tsRegex = "([a-zA-Z]{3})\\s+(\\d+)\\s+(\\d+\\:\\d+\\:\\d+)\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)"; Pattern tsPattern = Pattern.compile(tsRegex); // private transient static MetronGrok grok; // private transient static InputStream pattern_url; public BasicFireEyeParser() throws Exception { // pattern_url = getClass().getClassLoader().getResourceAsStream( // "patterns/fireeye"); // // File file = ParserUtils.stream2file(pattern_url); // grok = MetronGrok.create(file.getPath()); // // grok.compile("%{FIREEYE_BASE}"); } @Override public void init() { } @Override public List<JSONObject> parse(byte[] raw_message) { String toParse = ""; List<JSONObject> messages = new ArrayList<>(); try { toParse = new String(raw_message, "UTF-8"); // String[] mTokens = toParse.split(" "); String positveIntPattern = "<[1-9][0-9]*>"; Pattern p = Pattern.compile(positveIntPattern); Matcher m = p.matcher(toParse); String delimiter = ""; while (m.find()) { delimiter = m.group(); } if (!StringUtils.isBlank(delimiter)) { String[] tokens = toParse.split(delimiter); if (tokens.length > 1) toParse = delimiter + tokens[1]; } JSONObject toReturn = parseMessage(toParse); toReturn.put("timestamp", getTimeStamp(toParse, delimiter)); messages.add(toReturn); return messages; } catch (Exception e) { e.printStackTrace(); return null; } } private long getTimeStamp(String toParse, String delimiter) throws ParseException { long ts = 0; String month = null; String day = null; String time = null; Matcher tsMatcher = tsPattern.matcher(toParse); if (tsMatcher.find()) { month = tsMatcher.group(1); day = tsMatcher.group(2); time = tsMatcher.group(3); } else { LOG.warn("Unable to find timestamp in message: " + toParse); ts = ParserUtils.convertToEpoch(month, day, time, true); } return ts; } private JSONObject parseMessage(String toParse) { // System.out.println("Received message: " + toParse); // MetronMatch gm = grok.match(toParse); // gm.captures(); JSONObject toReturn = new JSONObject(); //toParse = toParse.replaceAll(" ", " "); String[] mTokens = toParse.split("\\s+"); //mTokens = toParse.split(" "); // toReturn.putAll(gm.toMap()); String id = mTokens[4]; // We are not parsing the fedata for multi part message as we cannot // determine how we can split the message and how many multi part // messages can there be. // The message itself will be stored in the response. String[] tokens = id.split("\\."); if (tokens.length == 2) { String[] array = Arrays.copyOfRange(mTokens, 1, mTokens.length - 1); String syslog = Joiner.on(" ").join(array); Multimap<String, String> multiMap = formatMain(syslog); for (String key : multiMap.keySet()) { String value = Joiner.on(",").join(multiMap.get(key)); toReturn.put(key, value.trim()); } } toReturn.put("original_string", toParse); String ip_src_addr = (String) toReturn.get("dvc"); String ip_src_port = (String) toReturn.get("src_port"); String ip_dst_addr = (String) toReturn.get("dst_ip"); String ip_dst_port = (String) toReturn.get("dst_port"); if (ip_src_addr != null) toReturn.put("ip_src_addr", ip_src_addr); if (ip_src_port != null) toReturn.put("ip_src_port", ip_src_port); if (ip_dst_addr != null) toReturn.put("ip_dst_addr", ip_dst_addr); if (ip_dst_port != null) toReturn.put("ip_dst_port", ip_dst_port); System.out.println(toReturn); return toReturn; } private Multimap<String, String> formatMain(String in) { Multimap<String, String> multiMap = ArrayListMultimap.create(); String input = in.replaceAll("cn3", "dst_port").replaceAll("cs5", "cncHost").replaceAll("proto", "protocol") .replaceAll("rt=", "timestamp=").replaceAll("cs1", "malware").replaceAll("dst=", "dst_ip=") .replaceAll("shost", "src_hostname").replaceAll("dmac", "dst_mac").replaceAll("smac", "src_mac") .replaceAll("spt", "src_port").replaceAll("\\bsrc\\b", "src_ip"); String[] tokens = input.split("\\|"); if (tokens.length > 0) { String message = tokens[tokens.length - 1]; String pattern = "([\\w\\d]+)=([^=]*)(?=\\s*\\w+=|\\s*$) "; Pattern p = Pattern.compile(pattern); Matcher m = p.matcher(message); while (m.find()) { String[] str = m.group().split("="); multiMap.put(str[0], str[1]); } } return multiMap; } }