in metron-platform/metron-parsing/metron-parsers/src/main/java/org/apache/metron/parsers/sourcefire/BasicSourcefireParser.java [56:123]
public List<JSONObject> parse(byte[] msg) {
JSONObject payload = new JSONObject();
String toParse = "";
List<JSONObject> messages = new ArrayList<>();
try {
toParse = new String(msg, getReadCharset());
_LOG.debug("Received message: {}", toParse);
String tmp = toParse.substring(toParse.lastIndexOf("{"));
payload.put("key", tmp);
String protocol = tmp.substring(tmp.indexOf("{") + 1,
tmp.indexOf("}")).toLowerCase();
String source = tmp.substring(tmp.indexOf("}") + 1,
tmp.indexOf("->")).trim();
String dest = tmp.substring(tmp.indexOf("->") + 2, tmp.length())
.trim();
payload.put("protocol", protocol);
String source_ip = "";
String dest_ip = "";
if (source.contains(":")) {
String parts[] = source.split(":");
payload.put("ip_src_addr", parts[0]);
payload.put("ip_src_port", parts[1]);
source_ip = parts[0];
} else {
payload.put("ip_src_addr", source);
source_ip = source;
}
if (dest.contains(":")) {
String parts[] = dest.split(":");
payload.put("ip_dst_addr", parts[0]);
payload.put("ip_dst_port", parts[1]);
dest_ip = parts[0];
} else {
payload.put("ip_dst_addr", dest);
dest_ip = dest;
}
long timestamp = System.currentTimeMillis();
payload.put("timestamp", timestamp);
Matcher sidMatcher = sidPattern.matcher(toParse);
String originalString = null;
String signatureId = "";
if (sidMatcher.find()) {
signatureId = sidMatcher.group(2);
originalString = sidMatcher.group(1) +" "+ sidMatcher.group(2) + " " + sidMatcher.group(3);
} else {
_LOG.warn("Unable to find SID in message: {}", toParse);
originalString = toParse;
}
payload.put("original_string", originalString);
payload.put("signature_id", signatureId);
messages.add(payload);
return messages;
} catch (Exception e) {
e.printStackTrace();
_LOG.error("Failed to parse: {}", toParse);
return null;
}
}