From f277c96d59750005dab867f4027a459496125ed6 Mon Sep 17 00:00:00 2001
From: inspired <mikael@bjerkeland.com>
Date: Wed, 5 Oct 2016 08:46:02 +0200
Subject: [PATCH] Update transforms.conf

---
 default/transforms.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/default/transforms.conf b/default/transforms.conf
index 2294943..f85b7c4 100644
--- a/default/transforms.conf
+++ b/default/transforms.conf
@@ -129,16 +129,16 @@ SOURCE_KEY = message_text
 ##################################### Specific extractions below
 
 [extract_cisco_ios-acl]
-REGEX = (IPACCESSLOGP|IPACCESSLOGSP|IPACCESSLOGRP|IPACCESSLOGNP|ACCESSLOGP|ACCESSLOGSP|ACCESSLOGNP)(\s)?:(?:.+) list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<proto>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, (?<num_packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
+REGEX = (IPACCESSLOGP|IPACCESSLOGSP|IPACCESSLOGRP|IPACCESSLOGNP|ACCESSLOGP|ACCESSLOGSP|ACCESSLOGNP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<proto>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, (?<num_packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
 
 [extract_cisco_ios-acl-2]
-REGEX = IPACCESSLOGS(\s)?:(?:.+) list (?<rule>.+) (?<vendor_action>denied|permitted) (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (?<num_packets>\d+) packet(s)?(\s\[(?<correlation_tag>\S+)\])?
+REGEX = IPACCESSLOGS(\s)?:(?:.+)list (?<rule>.+) (?<vendor_action>denied|permitted) (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (?<num_packets>\d+) packet(s)?(\s\[(?<correlation_tag>\S+)\])?
 
 [extract_cisco_ios-acl-3]
-REGEX = (ACCESSLOGDP|IPACCESSLOGDP)(\s)?:(?:.+) list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<proto>\d+|icmp|icmpv6)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (\(?(?<icmp_code_id>\d+)\/(?<icmp_type>\d+)?\))?(, (?<num_packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
+REGEX = (ACCESSLOGDP|IPACCESSLOGDP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<proto>\d+|icmp|icmpv6)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (\(?(?<icmp_code_id>\d+)\/(?<icmp_type>\d+)?\))?(, (?<num_packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
 
 [extract_cisco_ios-acl-4]
-REGEX = SGACLHIT(\s)?:(?:.+) list\s(?<rule>.+)\s(?<vendor_action>denied|permitted|Denied|Permitted)\s(?<proto>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, SGT\s?(?<src_group_tag>\d+) DGT\s?(?<dest_group_tag>\d+))?
+REGEX = SGACLHIT(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted|Denied|Permitted)\s(?<proto>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_int>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, SGT\s?(?<src_group_tag>\d+) DGT\s?(?<dest_group_tag>\d+))?
 
 [extract_cisco_ios-acl-nexus]
 REGEX = %ACLLOG-.+-(ACLLOG_NEW_FLOW|ACLLOG_FLOW_INTERVAL)(\s)?: Source IP: (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Destination IP: (?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Source Port: (?<src_port>\d+), Destination Port: (?<dest_port>\d+), Source Interface: (?<src_int>\S+)?, Protocol: "(?<proto>\S+)"\((?<proto_port>\d+)\), Hit-count = (?<num_packets>\d+)