Repository: metron Updated Branches: refs/heads/master 8022f2c8c -> 59fe1b453
METRON-1088 Upgrade bro to 2.5.2 (JonZeolla) closes apache/metron#844 Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/59fe1b45 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/59fe1b45 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/59fe1b45 Branch: refs/heads/master Commit: 59fe1b453279bf5c7df627ea656c762b3a98e777 Parents: 8022f2c Author: JonZeolla <zeo...@gmail.com> Authored: Wed Nov 22 20:37:38 2017 -0500 Committer: JonZeolla <jonzeo...@apache.org> Committed: Wed Nov 22 20:37:38 2017 -0500 ---------------------------------------------------------------------- .../inventory/full-dev-platform/group_vars/all | 2 +- .../inventory/quick-dev-platform/group_vars/all | 2 +- .../CURRENT/package/files/bro_index.template | 472 ++++++++++++++++++- .../playbooks/docker_probe_install.yml | 2 +- metron-deployment/roles/bro/tasks/bro.yml | 3 + .../roles/bro/tasks/dependencies.yml | 11 + .../roles/bro/tasks/metron-bro-plugin-kafka.yml | 3 + metron-deployment/roles/bro/vars/main.yml | 2 +- .../sample/data/bro/parsed/BroExampleParsed | 4 + .../main/sample/data/bro/raw/BroExampleOutput | 4 + .../metron/parsers/bro/BasicBroParserTest.java | 226 +++++++++ 11 files changed, 711 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/inventory/full-dev-platform/group_vars/all ---------------------------------------------------------------------- diff --git a/metron-deployment/inventory/full-dev-platform/group_vars/all b/metron-deployment/inventory/full-dev-platform/group_vars/all index 9aa04ab..08e405b 100644 --- a/metron-deployment/inventory/full-dev-platform/group_vars/all +++ b/metron-deployment/inventory/full-dev-platform/group_vars/all @@ -42,7 +42,7 @@ enrichment_hbase_table: enrichment # metron metron_version: 0.4.2 metron_directory: /usr/metron/{{ metron_version }} -bro_version: "2.4.2" +bro_version: "2.5.2" fixbuf_version: "1.7.1" yaf_version: "2.8.0" daq_version: "2.0.6-1" http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/inventory/quick-dev-platform/group_vars/all ---------------------------------------------------------------------- diff --git a/metron-deployment/inventory/quick-dev-platform/group_vars/all b/metron-deployment/inventory/quick-dev-platform/group_vars/all index 28f235d..d2d8590 100644 --- a/metron-deployment/inventory/quick-dev-platform/group_vars/all +++ b/metron-deployment/inventory/quick-dev-platform/group_vars/all @@ -41,7 +41,7 @@ enrichment_hbase_table: enrichment # metron metron_version: 0.4.2 metron_directory: /usr/metron/{{ metron_version }} -bro_version: "2.4.2" +bro_version: "2.5.2" fixbuf_version: "1.7.1" yaf_version: "2.8.0" daq_version: "2.0.6-1" http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template index 3a68d75..b0103f2 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template @@ -118,7 +118,7 @@ }, "match": "threat:triage:rules:*:name", "match_mapping_type": "*" - } + } } ], "properties": { @@ -171,6 +171,12 @@ * https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info * * Notable Fields + * Field: method + * Notes: Field exists in the HTTP and SIP logs + * + * Field: uri + * Notes: Field exists in the HTTP and SIP logs + * * Field: password * Notes: Field exists in the HTTP and FTP logs * @@ -178,19 +184,31 @@ * Notes: Field exists in the HTTP and FTP logs * * Field: trans_depth - * Notes: Field exists in the HTTP and SMTP logs + * Notes: Field exists in the HTTP, SMTP, and SIP logs * * Field: user_agent - * Notes: Field exists in the HTTP and SMTP logs + * Notes: Field exists in the HTTP, SMTP, and SIP logs * * Field: version * Notes: Field exists in the HTTP, SSL, and SSH logs * * Field: host - * Notes: Field exists in the HTTP and Software logs + * Notes: Field exists in the HTTP, KnownCerts, and Software logs * * Field: username * Notes: Field exists in the HTTP and RADIUS logs + * + * Field: status_code + * Notes: Field exists in the HTTP and SIP logs + * + * Field: status_msg + * Notes: Field exists in the HTTP and SIP logs + * + * Field: request_body_len + * Notes: Field exists in the HTTP and SIP logs + * + * Field: response_body_len + * Notes: Field exists in the HTTP and SIP logs */ "trans_depth": { "type": "integer" @@ -232,6 +250,17 @@ "type": "string", "index": "not_analyzed" }, + "info_code": { + "type": "integer" + }, + "info_msg": { + "type": "string", + "index": "not_analyzed" + }, + "tags": { + "type": "string", + "index": "not_analyzed" + }, "username": { "type": "string", "index": "not_analyzed" @@ -240,8 +269,27 @@ "type": "string", "index": "not_analyzed" }, - "capture_password": { - "type": "boolean" + "proxied": { + "type": "string", + "index": "not_analyzed" + }, + "orig_fuids": { + "type": "string" + }, + "orig_filenames": { + "type": "string" + }, + "orig_mime_types": { + "type": "string" + }, + "resp_fuids": { + "type": "string" + }, + "resp_filenames": { + "type": "string" + }, + "resp_mime_types": { + "type": "string" }, /* * DNS log support @@ -253,6 +301,10 @@ * * Field: trans_id * Notes: Field exists in the DNS and DHCP logs + * + * Field: rtt + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval */ "proto": { "type": "string", @@ -261,6 +313,10 @@ "trans_id": { "type": "long" }, + "rtt": { + "type": "string", + "index": "not_analyzed" + }, "query": { "type": "string", "index": "not_analyzed" @@ -304,6 +360,9 @@ "answers": { "type": "string" }, + "TTLs": { + "type": "string" + }, "rejected": { "type": "boolean" }, @@ -406,7 +465,7 @@ * Notes: Field exists in the FTP and Files logs * * Field: fuid - * Notes: Field exists in the FTP and Notice logs + * Notes: Field exists in the FTP, Files, and Notice logs */ "user": { "type": "string", @@ -470,6 +529,15 @@ * * Field: mime_type * Notes: Field exists in the FTP and Files logs + * + * Field: duration + * Notes: Field exists in the Conn and Files logs + * + * Field: local_orig + * Notes: Field exists in the Conn and Files logs + * + * Field: fuid + * Notes: Field exists in the FTP, Files, and Notice logs */ "conn_uids": { "type": "string", @@ -524,13 +592,26 @@ "type": "string", "index": "not_analyzed" }, + "extracted": { + "type": "string", + "index": "not_analyzed" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, /* * Known::CertInfo log support * https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo * * Notable Fields + * Field: host + * Notes: Field exists in the HTTP, KnownCerts, and Software logs + * * Field: subject - * Notes: Field exists in the Known::CertInfo and SMTP logs + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs */ "port_num": { "type": "integer" @@ -552,8 +633,20 @@ * https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info * * Notable Fields + * Field: trans_depth + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: date + * Notes: Field exists in the SMTP and SIP logs + * * Field: subject - * Notes: Field exists in the Known::CertInfo and SMTP logs + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + * + * Field: reply_to + * Notes: Field exists in the SMTP and SIP logs + * + * Field: user_agent + * Notes: Field exists in the HTTP, SMTP, and SIP logs */ "helo": { "type": "string", @@ -579,6 +672,10 @@ "type": "string", "analyzer": "simple" }, + "cc": { + "type": "string", + "analyzer": "simple" + }, "reply_to": { "type": "string", "analyzer": "simple" @@ -627,6 +724,9 @@ * Notable Fields * Field: version * Notes: Field exists in the HTTP, SSL, and SSH logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs */ "cipher": { "type": "string", @@ -643,6 +743,13 @@ "resumed": { "type": "boolean" }, + "server_appdata": { + "type": "string", + "index": "not_analyzed" + }, + "client_appdata": { + "type": "boolean" + }, "last_alert": { "type": "string", "index": "not_analyzed" @@ -654,9 +761,38 @@ "established": { "type": "boolean" }, + "cert_chain_fuids": { + "type": "string" + }, + "client_cert_chain_fuids": { + "type": "string" + }, + "issuer": { + "type": "string", + "index": "not_analyzed" + }, + "client_subject": { + "type": "string", + "index": "not_analyzed" + }, + "client_issuer": { + "type": "string", + "index": "not_analyzed" + }, + "validation_status": { + "type": "string", + "index": "not_analyzed" + }, /* * Weird log support * https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info + * + * Notable Fields + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + * + * Field: name + * Notes: Field exists in the Weird and LoadedScripts logs */ "name": { "type": "string", @@ -679,10 +815,25 @@ * * Notable Fields * Field: fuid - * Notes: Field exists in the FTP and Notice logs + * Notes: Field exists in the FTP, Files, and Notice logs * * Field: proto * Notes: Field exists in the DNS, Conn, DPD, and Notice logs + * + * Field: remote_location:country_code + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:region + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:city + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:latitude + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:longitude + * Notes: Field exists in the Notice and SSH logs */ "file_mime_type": { "type": "string", @@ -736,16 +887,31 @@ "dropped": { "type": "boolean" }, + "remote_location:country_code": { + "type": "string" + }, + "remote_location:region": { + "type": "string" + }, + "remote_location:city": { + "type": "string" + }, + "remote_location:latitude": { + "type": "double" + }, + "remote_location:longitude": { + "type": "double" + }, /* * DHCP log support * https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info * * Notable Fields + * Field: mac + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs + * * Field: trans_id * Notes: Field exists in the DNS and DHCP logs - * - * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs */ "mac": { "type": "string", @@ -765,6 +931,21 @@ * Notable Fields * Field: version * Notes: Field exists in the HTTP, SSL, and SSH logs + * + * Field: remote_location:country_code + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:region + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:city + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:latitude + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:longitude + * Notes: Field exists in the Notice and SSH logs */ "auth_success": { "type": "boolean" @@ -815,7 +996,7 @@ * * Notable Fields * Field: host - * Notes: Field exists in the HTTP and Software logs + * Notes: Field exists in the HTTP, KnownCerts, and Software logs */ "host_p": { "type": "integer", @@ -858,8 +1039,15 @@ * Notes: Field exists in the HTTP and RADIUS logs * * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs + * + * Field: ttl + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval */ + "framed_addr": { + "type": "ip" + }, "remote_ip": { "type": "ip" }, @@ -867,10 +1055,18 @@ "type": "string", "index": "not_analyzed" }, + "reply_msg": { + "type": "string", + "index": "not_analyzed" + }, "result": { "type": "string", "index": "not_analyzed" }, + "ttl": { + "type": "string", + "index": "not_analyzed" + }, /* * X509 log support * https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info @@ -963,11 +1159,255 @@ * * Notable Fields * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs */ "dhcp_host_name": { "type": "string", "index": "not_analyzed" + }, + /* + * RFB::Info log support + * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info + */ + "client_major_version": { + "type": "string", + "index": "not_analyzed" + }, + "client_minor_version": { + "type": "string", + "index": "not_analyzed" + }, + "server_major_version": { + "type": "string", + "index": "not_analyzed" + }, + "server_minor_version": { + "type": "string", + "index": "not_analyzed" + }, + "authentication_method": { + "type": "string", + "index": "not_analyzed" + }, + "auth": { + "type": "boolean" + }, + "share_flag": { + "type": "boolean" + }, + "desktop_name": { + "type": "string", + "index": "not_analyzed" + }, + "width": { + "type": "integer" + }, + "height": { + "type": "integer" + }, + /* + * Stats::Info log support + * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info + * + * Notable Fields + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + * + * Field: pkt_lag + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + */ + "mem": { + "type": "integer" + }, + "pkts_proc": { + "type": "integer" + }, + "bytes_recv": { + "type": "integer" + }, + "pkts_dropped": { + "type": "integer" + }, + "pkts_link": { + "type": "integer" + }, + "pkt_lag": { + "type": "string", + "index": "not_analyzed" + }, + "events_proc": { + "type": "integer" + }, + "events_queued": { + "type": "integer" + }, + "active_tcp_conns": { + "type": "integer" + }, + "active_udp_conns": { + "type": "integer" + }, + "active_icmp_conns": { + "type": "integer" + }, + "tcp_conns": { + "type": "integer" + }, + "udp_conns": { + "type": "integer" + }, + "icmp_conns": { + "type": "integer" + }, + "timers": { + "type": "integer" + }, + "active_timers": { + "type": "integer" + }, + "files": { + "type": "integer" + }, + "active_files": { + "type": "integer" + }, + "dns_requests": { + "type": "integer" + }, + "active_dns_requests": { + "type": "integer" + }, + "reassem_tcp_size": { + "type": "integer" + }, + "reassem_file_size": { + "type": "integer" + }, + "reassem_frag_size": { + "type": "integer" + }, + "reassem_unknown_size": { + "type": "integer" + }, + /* + * CaptureLoss::Info log support + * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info + * + * Notable Fields + * Field: ts_delta + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + * + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + */ + "ts_delta": { + "type": "string", + "index": "not_analyzed" + }, + "gaps": { + "type": "integer", + "index": "not_analyzed" + }, + "acks": { + "type": "integer", + "index": "not_analyzed" + }, + "percent_lost": { + "type": "double", + "index": "not_analyzed" + }, + /* + * Reporter::Info log support + * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info + */ + "level": { + "type": "string" + }, + "message": { + "type": "string", + "index": "not_analyzed" + }, + "location": { + "type": "string", + "index": "not_analyzed" + }, + /* + * SIP::Info log support + * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info + * + * Notable Fields + * Field: trans_depth + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: method + * Notes: Field exists in the HTTP and SIP logs + * + * Field: uri + * Notes: Field exists in the HTTP and SIP logs + * + * Field: date + * Notes: Field exists in the SMTP and SIP logs + * + * Field: reply_to + * Notes: Field exists in the SMTP and SIP logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + * + * Field: user_agent + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: status_code + * Notes: Field exists in the HTTP and SIP logs + * + * Field: status_msg + * Notes: Field exists in the HTTP and SIP logs + * + * Field: request_body_len + * Notes: Field exists in the HTTP and SIP logs + * + * Field: response_body_len + * Notes: Field exists in the HTTP and SIP logs + */ + "request_from": { + "type": "string", + "index": "not_analyzed" + }, + "request_to": { + "type": "string", + "index": "not_analyzed" + }, + "response_from": { + "type": "string", + "index": "not_analyzed" + }, + "response_to": { + "type": "string", + "index": "not_analyzed" + }, + "call_id": { + "type": "string", + "index": "not_analyzed" + }, + "seq": { + "type": "string", + "index": "not_analyzed" + }, + "request_path": { + "type": "string" + }, + "response_path": { + "type": "string" + }, + "warning": { + "type": "string", + "index": "not_analyzed" + }, + "content_type": { + "type": "string", + "index": "not_analyzed" } } } http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/playbooks/docker_probe_install.yml ---------------------------------------------------------------------- diff --git a/metron-deployment/playbooks/docker_probe_install.yml b/metron-deployment/playbooks/docker_probe_install.yml index a58ea52..75aa81b 100644 --- a/metron-deployment/playbooks/docker_probe_install.yml +++ b/metron-deployment/playbooks/docker_probe_install.yml @@ -32,7 +32,7 @@ vars: metron_version: 0.4.2 metron_directory: /usr/metron/{{ metron_version }} - bro_version: "2.4.2" + bro_version: "2.5.2" fixbuf_version: "1.7.1" yaf_version: "2.8.0" daq_version: "2.0.6-1" http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/bro.yml ---------------------------------------------------------------------- diff --git a/metron-deployment/roles/bro/tasks/bro.yml b/metron-deployment/roles/bro/tasks/bro.yml index d751674..222ef0e 100644 --- a/metron-deployment/roles/bro/tasks/bro.yml +++ b/metron-deployment/roles/bro/tasks/bro.yml @@ -29,6 +29,9 @@ - name: Compile and Install bro shell: "{{ item }}" + environment: + CXX: /opt/rh/devtoolset-4/root/usr/bin/g++ + CC: /opt/rh/devtoolset-4/root/usr/bin/gcc args: chdir: "/tmp/bro-{{ bro_version }}" creates: "{{ bro_home }}/bin/bro" http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/dependencies.yml ---------------------------------------------------------------------- diff --git a/metron-deployment/roles/bro/tasks/dependencies.yml b/metron-deployment/roles/bro/tasks/dependencies.yml index fa20b71..a74557e 100644 --- a/metron-deployment/roles/bro/tasks/dependencies.yml +++ b/metron-deployment/roles/bro/tasks/dependencies.yml @@ -33,6 +33,17 @@ - perl - crontabs - net-tools + - centos-release-scl + register: result + until: result.rc == 0 + retries: 5 + delay: 10 + +- name: Install additional prerequisites + yum: name={{ item }} + with_items: + - devtoolset-4-gcc + - devtoolset-4-gcc-c++ register: result until: result.rc == 0 retries: 5 http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml ---------------------------------------------------------------------- diff --git a/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml b/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml index b6e7b5c..f4575b3 100644 --- a/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml +++ b/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml @@ -23,6 +23,9 @@ - name: Compile and install the plugin shell: "{{ item }}" + environment: + CXX: /opt/rh/devtoolset-4/root/usr/bin/g++ + CC: /opt/rh/devtoolset-4/root/usr/bin/gcc args: chdir: "/tmp/metron-bro-plugin-kafka" creates: "{{ bro_home }}/lib/bro/plugins/BRO_KAFKA" http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/vars/main.yml ---------------------------------------------------------------------- diff --git a/metron-deployment/roles/bro/vars/main.yml b/metron-deployment/roles/bro/vars/main.yml index 9519807..d99a8ef 100644 --- a/metron-deployment/roles/bro/vars/main.yml +++ b/metron-deployment/roles/bro/vars/main.yml @@ -16,7 +16,7 @@ # --- bro_home: /usr/local/bro -bro_version: 2.4.2 +bro_version: 2.5.2 bro_daemon_log: /var/log/bro.log bro_topic: bro http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed ---------------------------------------------------------------------- diff --git a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed index b1d3102..8db8a5f 100644 --- a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed +++ b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed @@ -25,3 +25,7 @@ {"bro_timestamp":"1440447766.441298","ip_dst_port":1812,"source.type":"bro","result":"failed","uid":"CqF4zGzBOXFjTWqHh","protocol":"radius","original_string":"RADIUS | result:failed uid:CqF4zGzBOXFjTWqHh id.orig_p:53031 id.resp_p:1812 id.orig_h:127.0.0.1 ts:1440447766.441298 id.resp_h:127.0.0.1 username:steve","ip_dst_addr":"127.0.0.1","ip_src_port":53031,"guid":"b029735a-3e98-45a0-b8da-232967a34085","ip_src_addr":"127.0.0.1","username":"steve","timestamp":1440447766441} {"certificate.key_length":1024,"bro_timestamp":"1216706999.661483","certificate.sig_alg":"sha1WithRSAEncryption","certificate.not_valid_before":1.2138336E9,"certificate.key_type":"rsa","basic_constraints.ca":false,"certificate.key_alg":"rsaEncryption","certificate.exponent":"65537","source.type":"bro","protocol":"x509","original_string":"X509 | certificate.key_length:1024 certificate.sig_alg:sha1WithRSAEncryption certificate.not_valid_before:1213833600.0 certificate.key_type:rsa basic_constraints.ca:false certificate.key_alg:rsaEncryption certificate.exponent:65537 certificate.version:3 certificate.subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id:FkYBO41LPAXxh44KFk certificate.not_valid_after:1248134399.0 certificate.serial:6905C4A47CFDBF9DBC98DACE3 8835FB8 certificate.issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US ts:1216706999.661483","certificate.version":3,"certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","guid":"578eac04-9024-49ab-828d-e25f01c33c82","id":"FkYBO41LPAXxh44KFk","certificate.not_valid_after":1.248134399E9,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","timestamp":1216706999661} {"bro_timestamp":"1258531221.486539","protocol":"known_devices","original_string":"KNOWN_DEVICES | dhcp_host_name:m57-jo mac:00:0b:db:63:58:a6 ts:1258531221.486539","dhcp_host_name":"m57-jo","guid":"e7a216d8-3623-4dea-af78-01da8c5e0bc5","mac":"00:0b:db:63:58:a6","timestamp":1258531221486,"source.type":"bro"} +{"client_minor_version":"007","bro_timestamp":"1328634261.675248","client_major_version":"003","ip_dst_port":5900,"auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","source.type":"bro","authentication_method":"VNC","uid":"CGhHbC1P1kuJYtR4Ul","server_minor_version":"007","protocol":"rfb","original_string":"RFB | client_minor_version:007 id.orig_p:10254 client_major_version:003 auth:true id.resp_p:5900 share_flag:false desktop_name:aneagles@localhost.localdomain authentication_method:VNC uid:CGhHbC1P1kuJYtR4Ul server_minor_version:007 server_major_version:003 width:1280 id.orig_h:192.168.1.10 ts:1328634261.675248 id.resp_h:192.168.1.114 height:800","ip_dst_addr":"192.168.1.114","ip_src_port":10254,"server_major_version":"003","width":1280,"guid":"c2da5c0b-bfaf-4fff-80c4-be6040fdb57d","ip_src_addr":"192.168.1.10","height":800,"timestamp":1328634261675} +{"dns_requests":0,"bro_timestamp":"1328634261.351352","reassem_frag_size":0,"protocol":"stats","original_string":"STATS | dns_requests:0 timers:35 active_udp_conns:0 reassem_frag_size:0 events_proc:392 active_icmp_conns:0 reassem_file_size:0 udp_conns:0 active_timers:32 events_queued:13 mem:55 reassem_tcp_size:0 peer:bro pkts_proc:1 icmp_conns:0 active_dns_requests:0 files:0 bytes_recv:62 active_files:0 tcp_conns:1 reassem_unknown_size:0 active_tcp_conns:1 ts:1328634261.351352","mem":55,"reassem_tcp_size":0,"peer":"bro","active_dns_requests":0,"active_files":0,"timestamp":1328634261351,"timers":35,"active_udp_conns":0,"events_proc":392,"active_icmp_conns":0,"reassem_file_size":0,"source.type":"bro","udp_conns":0,"active_timers":32,"events_queued":13,"pkts_proc":1,"icmp_conns":0,"files":0,"guid":"2ba97a72-8446-44ba-ac86-d491fa64a4c7","bytes_recv":62,"tcp_conns":1,"reassem_unknown_size":0,"active_tcp_conns":1} +{"bro_timestamp":"1328634276.90953","protocol":"capture_loss","original_string":"CAPTURE_LOSS | peer:bro acks:710 ts_delta:15.558178 gaps:0 ts:1328634276.90953 percent_lost:0.0","peer":"bro","acks":710,"guid":"1587b0b9-2d85-4808-9aaa-9a19477e8f98","ts_delta":15.558178,"gaps":0,"percent_lost":0.0,"timestamp":1328634276909,"source.type":"bro"} +{"bro_timestamp":"1216698600.338338","method":"REGISTER","ip_dst_port":10000,"request_body_len":0,"response_path":[],"uri":"sip:t.voncp.com:10000","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","source.type":"bro","uid":"Cl2G2m3bdeE8F9I9ei","trans_depth":0,"request_from":"\"16178766111\" <sip:16178766...@t.voncp.com:10000>","protocol":"sip","original_string":"SIP | id.orig_p:1033 method:REGISTER request_body_len:0 id.resp_p:10000 response_path:[] uri:sip:t.voncp.com:10000 call_id:7757a70e218b95730dd2daeaac7d20b1@192.168.1.64 uid:Cl2G2m3bdeE8F9I9ei trans_depth:0 request_from:\"16178766111\" <sip:16178766...@t.voncp.com:10000> request_path:[\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\"] id.orig_h:192.168.1.64 request_to:\"16178766111\" <sip:16178766...@t.voncp.com:10000> seq:1761527957 REGISTER user_agent:VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92 E4F61.xml ts:1216698600.338338 id.resp_h:69.59.232.120","ip_dst_addr":"69.59.232.120","ip_src_port":1033,"request_path":["SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000"],"guid":"a4d1d1c2-b55f-46c5-bd41-d741c9926ff1","request_to":"\"16178766111\" <sip:16178766...@t.voncp.com:10000>","ip_src_addr":"192.168.1.64","seq":"1761527957 REGISTER","user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml","timestamp":1216698600338} http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput ---------------------------------------------------------------------- diff --git a/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput b/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput index 5c88714..e75c6b9 100644 --- a/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput +++ b/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput @@ -25,3 +25,7 @@ {"radius": {"ts":1440447766.441298,"uid":"CqF4zGzBOXFjTWqHh","id.orig_h":"127.0.0.1","id.orig_p":53031,"id.resp_h":"127.0.0.1","id.resp_p":1812,"username":"steve","result":"failed"}} {"x509": {"ts":1216706999.661483,"id":"FkYBO41LPAXxh44KFk","certificate.version":3,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\u005c, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\u005c, Inc.,C=US","certificate.not_valid_before":1213833600.0,"certificate.not_valid_after":1248134399.0,"certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha1WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":1024,"certificate.exponent":"65537","basic_constraints.ca":false}} {"known_devices": {"ts":1258531221.486539,"mac":"00:0b:db:63:58:a6","dhcp_host_name":"m57-jo"}} +{"rfb": {"ts":1328634261.675248,"uid":"CGhHbC1P1kuJYtR4Ul","id.orig_h":"192.168.1.10","id.orig_p":10254,"id.resp_h":"192.168.1.114","id.resp_p":5900,"client_major_version":"003","client_minor_version":"007","server_major_version":"003","server_minor_version":"007","authentication_method":"VNC","auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","width":1280,"height":800}} +{"stats": {"ts":1328634261.351352,"peer":"bro","mem":55,"pkts_proc":1,"bytes_recv":62,"events_proc":392,"events_queued":13,"active_tcp_conns":1,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":1,"udp_conns":0,"icmp_conns":0,"timers":35,"active_timers":32,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}} +{"capture_loss": {"ts":1328634276.90953,"ts_delta":15.558178,"peer":"bro","gaps":0,"acks":710,"percent_lost":0.0}} +{"sip": {"ts":1216698600.338338,"uid":"Cl2G2m3bdeE8F9I9ei","id.orig_h":"192.168.1.64","id.orig_p":1033,"id.resp_h":"69.59.232.120","id.resp_p":10000,"trans_depth":0,"method":"REGISTER","uri":"sip:t.voncp.com:10000","request_from":"\u002216178766111\u0022 <sip:16178766...@t.voncp.com:10000>","request_to":"\u002216178766111\u0022 <sip:16178766...@t.voncp.com:10000>","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","seq":"1761527957 REGISTER","request_path":["SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000"],"response_path":[],"user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD/bcm001DD92E4F61.xml","request_body_len":0}} http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java ---------------------------------------------------------------------- diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java index aa60d1f..9d716e5 100644 --- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java +++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java @@ -1133,6 +1133,232 @@ public class BasicBroParserTest { } /** + * { + * "rfb": { + * "ts":1328634261.675248, + * "uid":"CGhHbC1P1kuJYtR4Ul", + * "id.orig_h":"192.168.1.10", + * "id.orig_p":10254, + * "id.resp_h":"192.168.1.114", + * "id.resp_p":5900, + * "client_major_version":"003", + * "client_minor_version":"007", + * "server_major_version":"003", + * "server_minor_version":"007", + * "authentication_method":"VNC", + * "auth":true, + * "share_flag":false, + * "desktop_name":"aneagles@localhost.localdomain", + * "width":1280, + * "height":800 + * } + * } + */ + @Multiline + public final static String rfbBroMessage; + + @SuppressWarnings("rawtypes") + @Test + public void testRfbBroMessage() throws ParseException { + Map rawMessageMap = (Map) jsonParser.parse(rfbBroMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(rfbBroMessage.getBytes()).get(0); + String expectedBroTimestamp = "1328634261.675248"; + Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp); + String expectedTimestamp = "1328634261675"; + Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp); + Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString()); + Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); + Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString()); + Assert.assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString()); + Assert.assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString()); + Assert.assertEquals(broJson.get("client_major_version").toString(), rawJson.get("client_major_version").toString()); + Assert.assertEquals(broJson.get("client_minor_version").toString(), rawJson.get("client_minor_version").toString()); + Assert.assertEquals(broJson.get("server_major_version").toString(), rawJson.get("server_major_version").toString()); + Assert.assertEquals(broJson.get("server_minor_version").toString(), rawJson.get("server_minor_version").toString()); + Assert.assertEquals(broJson.get("authentication_method").toString(), rawJson.get("authentication_method").toString()); + Assert.assertEquals(broJson.get("auth").toString(), rawJson.get("auth").toString()); + Assert.assertEquals(broJson.get("share_flag").toString(), rawJson.get("share_flag").toString()); + Assert.assertEquals(broJson.get("desktop_name").toString(), rawJson.get("desktop_name").toString()); + Assert.assertEquals(broJson.get("width").toString(), rawJson.get("width").toString()); + Assert.assertEquals(broJson.get("height").toString(), rawJson.get("height").toString()); + } + + /** + * { + * "stats": { + * "ts":1440447766.440305 + * "peer":"bro", + * "mem":55, + * "pkts_proc":1, + * "bytes_recv":119, + * "events_proc":392, + * "events_queued":15, + * "active_tcp_conns":0, + * "active_udp_conns":1, + * "active_icmp_conns":0, + * "tcp_conns":0, + * "udp_conns":1, + * "icmp_conns":0, + * "timers":34, + * "active_timers":31, + * "files":0, + * "active_files":0, + * "dns_requests":0, + * "active_dns_requests":0, + * "reassem_tcp_size":0, + * "reassem_file_size":0, + * "reassem_frag_size":0, + * "reassem_unknown_size":0 + * } + * } + */ + @Multiline + public final static String statsBroMessage; + + @SuppressWarnings("rawtypes") + @Test + public void testStatsBroMessage() throws ParseException { + Map rawMessageMap = (Map) jsonParser.parse(statsBroMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(statsBroMessage.getBytes()).get(0); + String expectedBroTimestamp = "1440447766.440305"; + Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp); + String expectedTimestamp = "1440447766440"; + Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp); + Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + Assert.assertEquals(broJson.get("peer").toString(), rawJson.get("peer").toString()); + Assert.assertEquals(broJson.get("mem").toString(), rawJson.get("mem").toString()); + Assert.assertEquals(broJson.get("pkts_proc").toString(), rawJson.get("pkts_proc").toString()); + Assert.assertEquals(broJson.get("bytes_recv").toString(), rawJson.get("bytes_recv").toString()); + Assert.assertEquals(broJson.get("events_proc").toString(), rawJson.get("events_proc").toString()); + Assert.assertEquals(broJson.get("events_queued").toString(), rawJson.get("events_queued").toString()); + Assert.assertEquals(broJson.get("active_tcp_conns").toString(), rawJson.get("active_tcp_conns").toString()); + Assert.assertEquals(broJson.get("active_udp_conns").toString(), rawJson.get("active_udp_conns").toString()); + Assert.assertEquals(broJson.get("active_icmp_conns").toString(), rawJson.get("active_icmp_conns").toString()); + Assert.assertEquals(broJson.get("tcp_conns").toString(), rawJson.get("tcp_conns").toString()); + Assert.assertEquals(broJson.get("udp_conns").toString(), rawJson.get("udp_conns").toString()); + Assert.assertEquals(broJson.get("icmp_conns").toString(), rawJson.get("icmp_conns").toString()); + Assert.assertEquals(broJson.get("timers").toString(), rawJson.get("timers").toString()); + Assert.assertEquals(broJson.get("active_timers").toString(), rawJson.get("active_timers").toString()); + Assert.assertEquals(broJson.get("files").toString(), rawJson.get("files").toString()); + Assert.assertEquals(broJson.get("active_files").toString(), rawJson.get("active_files").toString()); + Assert.assertEquals(broJson.get("dns_requests").toString(), rawJson.get("dns_requests").toString()); + Assert.assertEquals(broJson.get("active_dns_requests").toString(), rawJson.get("active_dns_requests").toString()); + Assert.assertEquals(broJson.get("reassem_tcp_size").toString(), rawJson.get("reassem_tcp_size").toString()); + Assert.assertEquals(broJson.get("reassem_file_size").toString(), rawJson.get("reassem_file_size").toString()); + Assert.assertEquals(broJson.get("reassem_frag_size").toString(), rawJson.get("reassem_frag_size").toString()); + Assert.assertEquals(broJson.get("reassem_unknown_size").toString(), rawJson.get("reassem_unknown_size").toString()); + } + + /** + * { + * "capture_loss": { + * "ts":1320435958.419451, + * "ts_delta":493.659207, + * "peer":"bro", + * "gaps":2, + * "acks":4854, + * "percent_lost":0.041203 + * } + * } + */ + @Multiline + public final static String captureLossBroMessage; + + @SuppressWarnings("rawtypes") + @Test + public void testCaptureLossBroMessage() throws ParseException { + Map rawMessageMap = (Map) jsonParser.parse(captureLossBroMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(captureLossBroMessage.getBytes()).get(0); + String expectedBroTimestamp = "1320435958.419451"; + Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp); + String expectedTimestamp = "1320435958419"; + Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp); + Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + Assert.assertEquals(broJson.get("ts_delta").toString(), rawJson.get("ts_delta").toString()); + Assert.assertEquals(broJson.get("peer").toString(), rawJson.get("peer").toString()); + Assert.assertEquals(broJson.get("gaps").toString(), rawJson.get("gaps").toString()); + Assert.assertEquals(broJson.get("acks").toString(), rawJson.get("acks").toString()); + Assert.assertEquals(broJson.get("percent_lost").toString(), rawJson.get("percent_lost").toString()); + } + + /** + * { + * "sip": { + * "ts":1216698441.346819, + * "uid":"Cf3LPS10DMyCqJMDv9", + * "id.orig_h":"192.168.1.64", + * "id.orig_p":1032, + * "id.resp_h":"216.115.20.143", + * "id.resp_p":10000, + * "trans_depth":0, + * "method":"REGISTER", + * "uri":"sip:t.voncp.com:10000", + * "request_from":"\\u002216178766111\\u0022 <sip:16178766...@t.voncp.com:10000>", + * "request_to":"\\u002216178766111\\u0022 <sip:16178766...@t.voncp.com:10000>", + * "response_from":"\\u002216178766111\\u0022 <sip:16178766...@t.voncp.com:10000>", + * "response_to":"\\u002216178766111\\u0022 <sip:16178766...@t.voncp.com:10000>", + * "call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64", + * "seq":"1761527952 REGISTER", + * "request_path":["SIP/2.0/UDP 192.168.1.64:10000"], + * "response_path":["SIP/2.0/UDP 192.168.1.64:10000"], + * "user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD/bcm001DD92E4F61.xml", + * "status_code":200, + * "status_msg":"OK", + * "request_body_len":0, + * "response_body_len":0 + * } + * } + */ + @Multiline + public final static String sipBroMessage; + + @SuppressWarnings("rawtypes") + @Test + public void testSipBroMessage() throws ParseException { + Map rawMessageMap = (Map) jsonParser.parse(sipBroMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(sipBroMessage.getBytes()).get(0); + String expectedBroTimestamp = "1216698441.346819"; + Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp); + String expectedTimestamp = "1216698441346"; + Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp); + Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString()); + Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); + Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString()); + Assert.assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString()); + Assert.assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString()); + Assert.assertEquals(broJson.get("trans_depth").toString(), rawJson.get("trans_depth").toString()); + Assert.assertEquals(broJson.get("method").toString(), rawJson.get("method").toString()); + Assert.assertEquals(broJson.get("uri").toString(), rawJson.get("uri").toString()); + Assert.assertEquals(broJson.get("request_from").toString(), rawJson.get("request_from").toString()); + Assert.assertEquals(broJson.get("request_to").toString(), rawJson.get("request_to").toString()); + Assert.assertEquals(broJson.get("response_from").toString(), rawJson.get("response_from").toString()); + Assert.assertEquals(broJson.get("response_to").toString(), rawJson.get("response_to").toString()); + Assert.assertEquals(broJson.get("call_id").toString(), rawJson.get("call_id").toString()); + Assert.assertEquals(broJson.get("seq").toString(), rawJson.get("seq").toString()); + Assert.assertEquals(broJson.get("request_path").toString(), rawJson.get("request_path").toString()); + Assert.assertEquals(broJson.get("response_path").toString(), rawJson.get("response_path").toString()); + Assert.assertEquals(broJson.get("user_agent").toString(), rawJson.get("user_agent").toString()); + Assert.assertEquals(broJson.get("status_code").toString(), rawJson.get("status_code").toString()); + Assert.assertEquals(broJson.get("status_msg").toString(), rawJson.get("status_msg").toString()); + Assert.assertEquals(broJson.get("request_body_len").toString(), rawJson.get("request_body_len").toString()); + Assert.assertEquals(broJson.get("response_body_len").toString(), rawJson.get("response_body_len").toString()); + } + + /** * { * "ht*tp": { * "ts":1402307733.473,