Skip to content

Commit a78f8f3

Browse files
amiracleamiracle
committed
Updated configuration files
app.con - updated to new version 4.2.1 props.conf - added new source types and enabled them for dropdown lookups. Also added the direction to the asus and wrt source types allowing for the direction field to show up based on the IN and OUT fields.
1 parent cda3c61 commit a78f8f3

File tree

2 files changed

+73
-37
lines changed

2 files changed

+73
-37
lines changed

default/app.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
[ui]
22
is_visible = 1
3-
label = home | monitor > 4.2.0
3+
label = home | monitor > 4.2.1
44

55
[launcher]
66
author = Kamilo Amir
77
description = Home Monitor offers a simple view into your home network traffic based on the syslog data being gathered from your home router.
8-
version = 4.2.0
8+
version = 4.2.1
99

1010
[install]
1111
is_configured = 0

default/props.conf

Lines changed: 71 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -1,47 +1,99 @@
11
[syslog]
2-
TRANSFORMS-changesourcetype = fios, pfsense, asus, netgear, skyhub, linksys, mikro
2+
TRANSFORMS-changesourcetype = asus, fios, link sys, mikro, netgear, openwrt, pfsense, sophos, skyhub
3+
4+
[asus]
5+
# Based on Asus RT-N66U router syslog output.
6+
FIELDALIAS-dst = DST as dest_ip
7+
FIELDALIAS-dpt = DPT as dest_port
8+
FIELDALIAS-proto = PROTO as protocol
9+
FIELDALIAS-SPT = SPT as src_port
10+
FIELDALIAS-SRC = SRC as src_ip
11+
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
12+
EVAL-direction = if(match(OUT,"etc*"), "out", "in")
13+
pulldown_type = 1
14+
LOOKUP-action_lookup = action_lookup action OUTPUT action2
15+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
316

417
[fios]
518
EXTRACT-action = ^(?:[^ \n]* ){10}(?P<action>\w+)
619
EXTRACT-direction = ^(?:[^ \n]* ){9}(?P<direction>\w+)
720
EXTRACT-state,protocol,src_ip,src_port,dest_ip,dest_port = ^[^\]\n]*\]\s+(?P<state>\w+\s+\w+)[^:\n]*:\s+(?P<protocol>\w+)\s+(?P<src_ip>[^:]+):(?P<src_port>[^ ]+)[^\[\n]*\[(?P<dest_ip>[^:]+):(?P<dest_port>\d+)
821
EXTRACT-src_ip,src_port,dest_ip,dest_port = ^[^\(\n]*\(\w+\s+(?P<src_ip>[^:]+):(?P<src_port>\d+)\->(?P<dest_ip>[^:]+):(?P<dest_port>\d+)
9-
LOOKUP-fios = action_lookup action OUTPUTNEW action2
22+
pulldown_type = 1
23+
LOOKUP-action_lookup = action_lookup action OUTPUT action2
24+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
1025

11-
[pfsense]
12-
EXTRACT-application = ^(?:[^ \n]* ){7}(?P<application>\w+)
13-
EXTRACT-action,direction,protocol,length,src_ip,dest_ip,src_port,dest_port,data_length = ^(?:[^,\n]*,){6}(?P<action>[a-z]+),(?P<direction>[a-z]+)(?:[^,\n]*,){9}(?P<protocol>[^,]+),(?P<length>[^,]+),(?P<src_ip>[^,]+),(?P<dest_ip>[^,]+),(?P<src_port>[^,]+),(?P<dest_port>[^,]+),(?P<data_length>.+)
14-
EXTRACT-nat_ip,nat_mac,nat_hostname = ^(?:[^:\n]*:){5}\s+\w+\s+\w+\s+(?P<nat_ip>[^ ]+) from (?P<nat_mac>[^ ]+)\s+\((?P<nat_hostname>\w+)
26+
[linksys]
27+
DATETIME_CONFIG = CURRENT
28+
NO_BINARY_CHECK = true
29+
SHOULD_LINEMERGE = false
30+
category = Custom
31+
EXTRACT-src_ip,dest_ip,linksys_src_port,action = ^(?P<src_ip>[^ ]+) to (?P<dest_ip>[^:]+):(?P<linksys_src_port>[a-z]+) is (?P<action>.+)
32+
LOOKUP-linksys_src_port_lookup = linksys_src_port_lookup linksys_src_port OUTPUTNEW src_port
1533
LOOKUP-action_lookup = action_lookup action OUTPUT action2
16-
EXTRACT-ip_v = ^(?:[^,\n]*,){8}(?P<ip_v>\d+)
17-
EXTRACT-src_ipv6,dest_ipv6 = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\w+:\s+\d+,\d+,,\d+,\w+\d+,\w+,\w+,\w+,\d+,\d+\w+\d+,\d+\w+\d+,\d+,\w+\d+,\d+,\d+,(?P<src_ipv6>[^,]+),(?P<dest_ipv6>[^,]+)
18-
EXTRACT-snort_classification,priority,snort_protocol,src_ip_snort,src_port_snort,dest_ip_snort,dest_port_snort = ^(?:[^:\n]*:){8}\s+(?P<snort_classification>[^\]]+)[^\[\n]*\[\w+:\s+(?P<priority>[^\]]+)[^ \n]* \{(?P<snort_protocol>\w+)[^ \n]* (?P<src_ip_snort>[^:]+):(?P<src_port_snort>[^ ]+)[^>\n]*>\s+(?P<dest_ip_snort>[^:]+):(?P<dest_port_snort>\d+)
19-
EXTRACT-user_openvpn,src_ip_openvpn,src_port_openvpn,vip_openvpn = ^(?:[^ \n]* ){8}(?P<user_openvpn>\w+)/(?P<src_ip_openvpn>[^:]+):(?P<src_port_openvpn>\d+)(?:[^ \n]* ){3}(?P<vip_openvpn>[^ ]+)
20-
EXTRACT-openvpn_status,openvpn_desc = ^(?:[^ \n]* ){9}(?P<openvpn_status>[^:]+):\s+(?P<openvpn_desc>.+)
34+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
35+
pulldown_type = true
36+
37+
[mikro]
38+
EXTRACT-hostname = ^(?:[^ \n]* ){7}(?P<hostname>\w+)
39+
EXTRACT-protocol = ^(?:[^,\n]*,){2}\s+\w+\s+(?P<protocol>\w+)
40+
EXTRACT-src_ip,src_port = ^(?:[^,\n]*,){4}\s+(?P<src_ip>[^:]+)[^:\n]*:(?P<src_port>\d+)
41+
EXTRACT-dest_ip,dest_port = ^[^>\n]*>(?P<dest_ip>[^:]+)[^:\n]*:(?P<dest_port>\d+)
42+
EXTRACT-direction = ^(?:[^ \n]* ){9}(?P<direction>\w+)
2143
LOOKUP-action_lookup = action_lookup action OUTPUT action2
2244
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
45+
pulldown_type = true
2346

24-
[asus]
25-
# Based on Asus RT-N66U router syslog output.
47+
[netgear]
48+
# Based on Netgear FV318N router syslog output.
2649
FIELDALIAS-dst = DST as dest_ip
2750
FIELDALIAS-dpt = DPT as dest_port
2851
FIELDALIAS-proto = PROTO as protocol
2952
FIELDALIAS-SPT = SPT as src_port
3053
FIELDALIAS-SRC = SRC as src_ip
31-
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
54+
EXTRACT-action = (?i) LOG_PACKET\[(?P<action>[^\]]+)
3255
pulldown_type = 1
3356
LOOKUP-action_lookup = action_lookup action OUTPUT action2
57+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
3458

35-
[netgear]
36-
# Based on Netgear FV318N router syslog output.
59+
[openwrt]
60+
# Based on Asus RT-N66U router syslog output.
3761
FIELDALIAS-dst = DST as dest_ip
3862
FIELDALIAS-dpt = DPT as dest_port
3963
FIELDALIAS-proto = PROTO as protocol
4064
FIELDALIAS-SPT = SPT as src_port
4165
FIELDALIAS-SRC = SRC as src_ip
42-
EXTRACT-action = (?i) LOG_PACKET\[(?P<action>[^\]]+)
66+
EXTRACT-action = ^[^\]\n]*\]\s+(?P<action>\w+)
67+
EVAL-direction = if(match(OUT,"etc*"), "out", "in")
68+
EXTRACT-nat_ip,nat_port = ^(?:[^>\n]*>){2}(?P<nat_ip>[^:]+)[^:\n]*:(?P<nat_port>[^\)]+)
69+
LOOKUP-action_lookup = action_lookup action OUTPUT action2
70+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
4371
pulldown_type = 1
72+
73+
[pfsense]
74+
EXTRACT-application = ^(?:[^ \n]* ){7}(?P<application>\w+)
75+
EXTRACT-action,direction,protocol,length,src_ip,dest_ip,src_port,dest_port,data_length = ^(?:[^,\n]*,){6}(?P<action>[a-z]+),(?P<direction>[a-z]+)(?:[^,\n]*,){9}(?P<protocol>[^,]+),(?P<length>[^,]+),(?P<src_ip>[^,]+),(?P<dest_ip>[^,]+),(?P<src_port>[^,]+),(?P<dest_port>[^,]+),(?P<data_length>.+)
76+
EXTRACT-nat_ip,nat_mac,nat_hostname = ^(?:[^:\n]*:){5}\s+\w+\s+\w+\s+(?P<nat_ip>[^ ]+) from (?P<nat_mac>[^ ]+)\s+\((?P<nat_hostname>\w+)
77+
EXTRACT-ip_v = ^(?:[^,\n]*,){8}(?P<ip_v>\d+)
78+
EXTRACT-src_ipv6,dest_ipv6 = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\w+\.\w+\.\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\w+:\s+\d+,\d+,,\d+,\w+\d+,\w+,\w+,\w+,\d+,\d+\w+\d+,\d+\w+\d+,\d+,\w+\d+,\d+,\d+,(?P<src_ipv6>[^,]+),(?P<dest_ipv6>[^,]+)
79+
EXTRACT-snort_classification,priority,snort_protocol,src_ip_snort,src_port_snort,dest_ip_snort,dest_port_snort = ^(?:[^:\n]*:){8}\s+(?P<snort_classification>[^\]]+)[^\[\n]*\[\w+:\s+(?P<priority>[^\]]+)[^ \n]* \{(?P<snort_protocol>\w+)[^ \n]* (?P<src_ip_snort>[^:]+):(?P<src_port_snort>[^ ]+)[^>\n]*>\s+(?P<dest_ip_snort>[^:]+):(?P<dest_port_snort>\d+)
80+
EXTRACT-user_openvpn,src_ip_openvpn,src_port_openvpn,vip_openvpn = ^(?:[^ \n]* ){8}(?P<user_openvpn>\w+)/(?P<src_ip_openvpn>[^:]+):(?P<src_port_openvpn>\d+)(?:[^ \n]* ){3}(?P<vip_openvpn>[^ ]+)
81+
EXTRACT-openvpn_status,openvpn_desc = ^(?:[^ \n]* ){9}(?P<openvpn_status>[^:]+):\s+(?P<openvpn_desc>.+)
4482
LOOKUP-action_lookup = action_lookup action OUTPUT action2
83+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
84+
pulldown_type = 1
85+
86+
[sophos]
87+
FIELDALIAS-srcip = srcip as src_ip
88+
FIELDALIAS-srcport = srcport as src_port
89+
FIELDALIAS-dstip = dstip as dest_ip
90+
FIELDALIAS-dstport = dstport as dest_port
91+
FIELDALIAS-dstmac = dstmac as dest_mac
92+
FIELDALIAS-proto = proto as protocol
93+
FIELDALIAS-fwrule = fwrule as firewall_rule
94+
LOOKUP-action_lookup = action_lookup action OUTPUT action2
95+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
96+
pulldown_type = 1
4597

4698
[skyhub]
4799
# Based on Skyhub SR101 router syslog output.
@@ -51,22 +103,6 @@ FIELDALIAS-proto = PROTO as protocol
51103
FIELDALIAS-SPT = SPT as src_port
52104
FIELDALIAS-SRC = SRC as src_ip
53105
EXTRACT-action = (?i) kernel: (?P<action>[^\-]+)
54-
pulldown_type = 1
55106
LOOKUP-action_lookup = action_lookup action OUTPUT action2
56-
57-
[linksys]
58-
DATETIME_CONFIG = CURRENT
59-
NO_BINARY_CHECK = true
60-
SHOULD_LINEMERGE = false
61-
category = Custom
62-
pulldown_type = true
63-
EXTRACT-src_ip,dest_ip,linksys_src_port,action = ^(?P<src_ip>[^ ]+) to (?P<dest_ip>[^:]+):(?P<linksys_src_port>[a-z]+) is (?P<action>.+)
64-
LOOKUP-linksys_src_port_lookup = linksys_src_port_lookup linksys_src_port OUTPUTNEW src_port
65-
66-
[mikro]
67-
EXTRACT-hostname = ^(?:[^ \n]* ){7}(?P<hostname>\w+)
68-
EXTRACT-protocol = ^(?:[^,\n]*,){2}\s+\w+\s+(?P<protocol>\w+)
69-
EXTRACT-src_ip,src_port = ^(?:[^,\n]*,){4}\s+(?P<src_ip>[^:]+)[^:\n]*:(?P<src_port>\d+)
70-
EXTRACT-dest_ip,dest_port = ^[^>\n]*>(?P<dest_ip>[^:]+)[^:\n]*:(?P<dest_port>\d+)
71-
EXTRACT-direction = ^(?:[^ \n]* ){9}(?P<direction>\w+)
72-
EXTRACT-nat_ip,nat_port = ^(?:[^>\n]*>){2}(?P<nat_ip>[^:]+)[^:\n]*:(?P<nat_port>[^\)]+)
107+
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
108+
pulldown_type = 1

0 commit comments

Comments
 (0)